Privacy Policy
Downloadable PDF
Data Processing Information of AVL-ZalaZONE Kft.
1. Name and Address of the Data Controller
AVL-ZalaZONE Próbapálya Korlátolt Felelősségű Társaság
(abbreviated company name: AVLZalaZONE Kft).;
seat: 8900 Zalaegerszeg, ZalaZONE tér 1.;
company registration number: 20 09 076755;
tax number: 27102947-2-20;
represented by: Hamar Zoltán Managing Director
E-mail address: info@avlzalazone.com
Phone: +36 30 354 5289
2. Titles of Data Processing Activities and Key Information Related to Each Processing Operation
2.1.
|
Data Processing Carried Out During Communication with the Data Controller
|
|
|
Purpose of Data Processing: |
Communication |
|
Legal Basis for Data Processing: |
Point (f) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR): processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The necessity of data processing is justified by the following: The Data Controller has a legitimate interest in maintaining up-to-date communication with its clients, business and cooperation partners, and all individuals who contact the organization (including prospective clients). This includes providing information about the Data Controller’s activities, operations, current and personalized offers, and any content deemed informative for the partner. Furthermore, the goal is to facilitate professional communication and establish business, professional, employment, and representational relationships between clients, prospective clients, interested parties, and collaborators. To serve this interest, it is necessary to process the names and contact details of the Data Controller’s cooperating partners, clients, prospective clients, and interested parties (contact persons). (The legitimate interest assessment related to this processing is available at the Data Controller.) Please note that the data subject has the right to object, at any time and on grounds relating to their particular situation, to the processing of their personal data based on point (f) of Article 6(1) of the GDPR. |
|
Data Subjects and Categories of Data Subjects: |
|
|
List of Processed Personal Data: |
|
|
Retention Period of Processed Personal Data and Criteria for Determining Such Period: |
Upon termination of contact with the data subject, the personal data shall be deleted without delay, but no later than 3 years. |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.2.
|
Data Processing by the Data Controller in Connection with the Sending of Newsletters |
|
|
Purpose of Data Processing: |
Sending newsletters about the activities of the Data Controller. |
|
Legal Basis for Data Processing: |
Point (a) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR):
The data subject has given consent to the processing of their personal data for one or more specific purposes
Please note that, pursuant to Article 7(3) of the GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically via email using (the contact details provided in Section 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who subscribe to the newsletter function on the Data Controller’s website. |
|
List of Processed Personal Data: |
name, email address. The source of the processed personal data is the data subject. |
|
The retention period of the processed personal data, and the criteria for determining this period: |
Until the withdrawal of consent |
|
Source of the collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.3.
|
Data Processing on the Data Controller’s Website During Message Submission |
|
|
Purpose of Data Processing: |
Maintaining communication, sending and receiving messages |
|
Legal Basis for Data Processing: |
Point (a) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR):
The data subject has given consent to the processing of their personal data for one or more specific purposes
Please note that, pursuant to Article 7(3) of the GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically via email (using the contact details provided in Section 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who send messages to the Data Controller via the Data Controller’s website. |
|
List of Processed Personal Data: |
The source of the processed personal data is the data subject. |
|
Retention Period and Criteria for Determination: |
Until the withdrawal of consent. |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.4.
|
Data Processing Related to the Use of Cookies on the Data Controller’s Website |
|
|
Purpose of Data Processing: |
Processing of user data related to the use of the Data Controller’s website operated with content defined by the Data Controller. Collection of information regarding how visitors use the Data Controller’s website. |
|
Legal Basis for Data Processing:
|
Point (a) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
Please note that, pursuant to Article 7(3) of the GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically via email. (using the contact details provided in Section 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who visit the Data Controller’s website |
|
List of Processed Personal Data: |
A www.avlzalazone.com weboldal a weboldal működésével kapcsolatban úgynevezett cookie-kat használ. A cookie egy betűkből és számokból álló információs csomag, amelyet a weboldal küld az Ön böngészőjének, hogy elmentsen bizonyos beállításait, megkönnyítse a weboldal használatát és hozzájáruljon bizonyos releváns, statisztikai információk gyűjtéséhez.
Types of Cookies Used: Cookies may be either “persistent” or “session” cookies. A persistent cookie is stored by the browser for a certain period of time, provided that the user has not deleted it earlier, whereas a session cookie is not stored by the browser and is automatically deleted when the browser is closed. Strictly necessary cookies are essential for the use of the website and enable the use of its basic functions. Without these cookies, many features of the website will not be available to you. Cookies that improve the user experience collect information about how users interact with the website, such as which pages are visited most frequently or what error messages are received from the website. Cookies do not collect information that identifies the visitor, meaning they work with entirely general data that is not linked to the identification of the data subject. The information obtained from these cookies is used to improve the performance of the website and to compile anonymous statistics. Disabling cookies: If you do not consent to the placement of cookies, you can disable or withdraw your consent through your browser settings. In this case, certain services may be restricted or unavailable. For more information on deleting cookies via your browser, please refer to the following links: Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-managecookies# ie = ie-11
Firefox: https://support.mozilla.org/en/kb/sutik-informacio-which-websites-shares Chrome: https://support.google.com/chrome/answer/95647?hl=en_US |
|
Retention Period and Criteria for Determination: |
Until the withdrawal of consent. |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
-
|
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.5.
|
Data Processing During Registration on the Data Controller’s Website |
|
|
Purpose of Data Processing: |
Registration, Contact, Sending Information |
|
Legal Basis of Data Processing: |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), Article 6(1)(a):
the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Data subjects are hereby informed that, pursuant to Article 7(3) of the GDPR, they have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Data subjects must be informed of this prior to giving consent. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically, including via email (using the contact details specified in point 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who register on the Data Controller’s website |
|
List of Processed Personal Data: |
The source of the processed personal data is the data subject. |
|
Duration of Retention of Processed Personal Data and Criteria for Determining This Period: |
Until the withdrawal of consent |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfer to Third Countries or International Organizations: |
- |
2.6.
|
Data Processing During Booking via the Controller’s Website |
|
|
Purpose of Data Processing: |
online booking
Through the Company’s website, users have the opportunity to submit a booking request, which qualifies as a service order. This enables users to access and utilize the services provided by the Company. |
|
Legal Basis of Data Processing: |
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), Article 6(1)(b) provides that: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who register on the Data Controller’s website |
|
List of Processed Personal Data: |
The Company necessarily processes the following data: the company name, registered office address, tax identification number, telephone number, bank account number, email address, fax number, the name of the contact person, the direct telephone number of the contact person, the email address of the contact person, fax number, the email address of the contact person, the name of the financial contact person, the telephone number of the financial contact person, the direct email address of the financial contact person, and the billing address. The source of the personal data processed is the data subject. |
|
Duration of Retention of Processed Personal Data and Criteria for Determining This Period |
5 years in the case of invoice issuance 8 years |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Transfer of Personal Data to Third Countries or International Organizations: |
- |
2.7.
|
Data Processing During Invoice Issuance |
|
|
Purpose of Data Processing: |
Issuance of Invoices in Connection with Services Provided by the Data Controller |
|
Legal Basis of Data Processing: |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), Article 6(1)(c): compliance with a legal obligation The mandatory content of an invoice is governed by Section 169 of Act CXXVII of 2007 on Value Added Tax (VAT Act). |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who use the services provided by the Data Controller and, where applicable, those authorized to receive invoices. |
|
List of Processed Personal Data: |
Personal data specified in Section 169 of Act CXXVII of 2007 on Value Added Tax (VAT Act)
169. § The invoice must contain the following data: a. the date of issue of the invoice; b. the serial number of the invoice, which uniquely identifies the invoice; c. the tax identification number of the supplier of goods or provider of services under which the supply was made; d. the tax identification number of the purchaser of goods or recipient of services: da) under which the supply was made to the taxable person; db) under which the supply defined in Section 89 was made; dc) the first eight digits of the tax number or group VAT identification number, if the purchaser is a domestic taxable person and the supplier is established or resident in Hungary for economic purposes; e. the name and address of the supplier and the purchaser; f. the name and quantity of the supplied goods (using the customs tariff number – VTSZ – if applicable), or the name and quantity of the provided services (using the TESZOR’15 code if applicable), expressed in natural units; g. the date of supply, if different from the date of invoice issuance, as per Section 163 (1) a) and b); h. the phrase “cash accounting” if special taxation rules under Chapter XIII/A apply; i. the taxable amount, the unit price excluding VAT, and any discounts not included in the unit price; j. the applicable VAT rate; k. the amount of VAT charged, unless excluded by law; l. the phrase “self-billing” if the invoice is issued by the purchaser or recipient; m. in case of VAT exemption, a reference to the legal provision or the relevant EU directive, or any clear indication that the supply is exempt from VAT; n. the phrase “reverse charge” if the purchaser or recipient is liable to pay VAT; o. in case of supply of a new means of transport under Section 89, the data defined in Section 259 point 25; p. the phrase “margin scheme – travel agencies” if the special rules under Chapter XV apply; q. the appropriate phrase from “margin scheme – second-hand goods”, “margin scheme – works of art”, or “margin scheme – collectors’ items and antiques” if the special rules under Chapter XVI apply; r. if a fiscal representative is used, their name, address, and tax identification number. |
|
The retention period of the processed Personal Data and the criteria for determining this period: |
Pursuant to Section 169 (2) of Act C of 2000 on Accounting, records must be retained for 8 years |
|
Source of the Collected Personal Data: |
The personal data are obtained from the Data Controller, except for the data subject’s name and tax identification number, which are provided directly by the data subject. |
|
Recipient: |
Data transfer occurs in cases where the National Tax and Customs Administration conducts an inspection. |
|
Data processor: |
PricewaterhouseCoopers Hungary Limited Liability Company
AVL Hungary Limited Liability Company
|
|
Data Transfer to Third Countries or International Organizations: |
does not happen |
2.8.
|
Processing of personal data during the recording, use, and publication of image and audio recordings at events, test drives, and trainings |
|
|
Purpose of Data Processing: |
Recording, use, and publication of image and audio recordings at events, test drives, and trainings organized by the Data Controller on the Data Controller’s communication platforms for the purpose of providing authentic, fast, and accurate information, as well as promoting the activities and events of the Data Controller. |
|
Legal Basis of Data Processing: |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Article 6(1)(a) of the GDPR:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
In the case of special categories of personal data, Article 9(2)(a) of the GDPR applies: explicit consent of the data subject
Please note that under Article 7(3) of the GDPR, the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically, including via email. (via the contact details specified in point 1) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons appearing in photographs or video recordings taken at events or test drives organized by the Data Controller, and in the case of minors, their legal representative. |
|
List of Processed Personal Data: |
Image and audio recordings: the data subject’s likeness, physical physiological characteristics, movement, activity, voice, and spoken content. The source of the processed personal data is the data subject. |
|
Retention period of the processed personal data and the criteria for determining this period: |
Until the withdrawal of consent, but no longer than 3 years |
|
Source of the processed personal data: |
Directly from the data subject. |
|
Recipient: |
Meta Platforms Ireland Limited ATTN: Privacy Operations Merrion Road Dublin 4 D04 X2K5, Ireland (Facebook, Instagram)
Google Ireland Limited Gordon House, Barrow Street LinkedinLinkedIn Ireland Unlimited Company D02 HR68 |
|
Data Processor: |
- |
|
Data Transfer to Third Countries or International Organizations: |
does not happen |
2.9.
|
Processing of personal data during the complaint handling activities of the Data Controller |
|
|
Purpose of Data Processing: |
Handling of complaints submitted to the Data Controller |
|
Legal Basis of Data Processing: |
Article 6(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC: compliance with a legal obligation, and pursuant to Section 17/A of Act CLV of 1997 on Consumer Protection (Fgytv.) (2) The consumer may submit a complaint to the business either verbally or in writing. (3) A verbal complaint must be investigated immediately and remedied as necessary. If the consumer disagrees with the handling of the complaint, or if immediate investigation is not possible, the business is obliged to promptly record the complaint and its position regarding it in a written report, and provide a copy of the report: a) in the case of a verbal complaint made in person, hand it over to the consumer on the spot, b) in the case of a verbal complaint made via telephone or other electronic communication service, send it to the consumer no later than together with the substantive response referred to in paragraph (6); in all other cases, the business must proceed according to the provisions applicable to written complaints as set out in paragraph (6). (4) A verbal complaint made via telephone or other electronic communication service must be assigned a unique identification number by the business. (5) The written report (minutes) of the complaint must include the following: a) the consumer’s name and address, b) the place, time, and method of submitting the complaint, c) a detailed description of the consumer’s complaint, and a list of documents, records, and other evidence presented by the consumer, d) the business’s statement regarding its position on the consumer’s complaint, if immediate investigation is possible, e) the name of the person recording the minutes and – except in the case of verbal complaints made via telephone or other electronic communication service – the consumer’s signature, f) the place and time of recording the minutes, g) in the case of verbal complaints made via telephone or other electronic communication service, the unique identification number of the complaint. |
|
Data subjects and categories of data subjects: |
Natural persons submitting a complaint to the Data Controller, and employees acting on behalf of the Data Controller. |
|
List of processed personal data: |
|
|
Retention period of the processed personal data and the criteria for determining this period: |
According to Section 17/A (7) of Act CLV of 1997 on Consumer Protection (Fgytv.), the business is required to retain the minutes recorded about the complaint and a copy of the response for a period of three years, and must present them to the supervisory authorities upon request. |
|
Source of the processed personal data: |
Directly from the data subject, except in the case of points d) and g): the Data Controller. |
|
Recipient: |
Pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection (Fgytv.), the supervisory authorities |
|
Data Processor: |
- |
|
Data Transfer to Third Countries or International Organizations: |
does not happen |
3. General Description of Data Security Measures
The Data Controller places great emphasis on ensuring the appropriate physical and IT protection of your data when developing the technical, procedural, and organizational (administrative) rules for data processing operations. The primary objective of the implemented measures is to prevent and avoid unauthorized access to the processed data, as well as unauthorized alteration, transmission, disclosure, deletion, or damage of such data. The Data Controller selects the tools and measures used during data processing accordingly. Furthermore, the Data Controller ensures that only authorized individuals have access to the processed data, and that the authenticity and integrity of the data are maintained.
The operator of the IT system shall use all available means to:
a) ensure the continuous confidentiality, integrity, availability, and resilience of systems and services used for processing personal data;
b) guarantee that, in the event of a physical or technical incident, access to personal data and the availability of such data can be restored in a timely manner;
c) manage access rights to the IT system;
d) ensure that each user may only perform operations corresponding to their level of authorization;
e) implement and operate the security requirements applicable to the IT system.
Among multiple possible data processing solutions, the Data Controller shall select the one that provides a higher level of protection for personal data, based on a risk assessment—unless doing so would impose a disproportionate burden.
The Data Controller’s IT system must be capable, using available resources, of ensuring the physical and logical security measures necessary to protect data from unauthorized access, alteration, transmission, disclosure, deletion, destruction, accidental damage, or loss.
More detailed information may be requested from the Data Controller.
4. Guarantee of Data Subject Rights
In connection with data processing, the data subject may, at any time, request the following from the data controller:
- access to the personal data processed about them,
- rectification of inaccurate personal data,
- erasure of the processed data,
- restriction of data processing,
- object to data processing [in cases based on Article 6(1)(e) or (f) of the GDPR],
- withdraw their previously given consent (in cases where processing is based on consent),
- exercise the right to data portability [in cases based on Article 6(1)(a) or (b) of the GDPR],
- in case of perceived unlawful data processing, lodge a complaint with a supervisory authority or initiate legal proceedings.
4.1. The data subject may exercise their right of access under Article 15 of the GDPR as follows:
The data subject shall have the right to obtain confirmation from the data controller as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject;
• where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
The data subject shall have the right to obtain a copy of the personal data undergoing processing — without prejudice to the rights and freedoms of others — free of charge for the first copy. The data controller shall provide the copy of the personal data subject to processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic format, unless otherwise requested by the data subject.
The right to obtain a copy shall not adversely affect the rights and freedoms of others.
4.2. The data subject may exercise their right to rectification under Article 16 of the GDPR as follows
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay upon request.
Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data — including by means of providing a supplementary statement.
4.3. The data subject may exercise their right to erasure under Article 17 of the GDPR as follows
The data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay upon request, and the controller shall be obliged to erase such personal data without undue delay where one of the following grounds applies:
– The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
– The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
– The personal data have been unlawfully processed;
– The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
– The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
The above shall not apply to the extent that processing is necessary:
– For exercising the right of freedom of expression and information;
– For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) and Article 9(3) of the GDPR;
– For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
– For the establishment, exercise or defence of legal claims.
4.4. The data subject may exercise their right to restriction of processing under Article 18 of the GDPR as follows:
The data subject shall have the right to obtain from the controller the restriction of processing where one of the following applies:
– The accuracy of the personal data is contested by the data subject, in which case processing shall be restricted for a period enabling the controller to verify the accuracy of the personal data;
– The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– The controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defence of legal claims; or
– The data subject has objected to processing pursuant to Article 21(1) of the GDPR, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing is subject to restriction, such personal data may, with the exception of storage, only be processed with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
The controller shall inform the data subject, at whose request the processing has been restricted, in advance of the lifting of the restriction of processing.
4.5. Joint Notification Rules
The data controller shall inform all recipients to whom personal data have been disclosed of any rectification, erasure, or restriction of processing carried out pursuant to Article 16, Article 17(1), and Article 18 of the GDPR, unless this proves impossible or involves disproportionate effort. Upon request, the data controller shall inform the data subject about such recipients.
The data controller shall provide information to the data subject without undue delay, and in any case within one month of receipt of the request, regarding the actions taken in response to a request under Articles 15 to 22 of the GDPR. Where necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The data controller shall inform the data subject of any such extension within one month of receiving the request, stating the reasons for the delay. If the data subject submitted the request electronically, the response shall be provided electronically where possible, unless the data subject requests otherwise.
4.6. Right to object
The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on Article 6(1)(e) or Article 6(1)(f) of the GDPR, including profiling based on those provisions.
In such cases, the data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.
4.7. Right to Data Portability
The data subject shall have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and shall have the right to transmit those data to another data controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b); and
- the processing is carried out by automated means.
In exercising the right to data portability as described above, the data subject shall have the right — where technically feasible — to request the direct transmission of personal data from one controller to another.
The exercise of this right shall not adversely affect the rights and freedoms of others, nor shall it infringe Article 17 of the GDPR. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
4.8. Automated Decision-Making in Individual Cases, Including Profiling
The data subject has the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them.
This provision does not apply if the decision:
• is necessary for entering into or performing a contract between the data subject and the data controller;
• is authorized by Union or Member State law applicable to the data controller, which also lays down appropriate measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or
• is based on the data subject’s explicit consent.
4.9. Dispute Resolution and Legal Remedies
If the data subject believes that the data processing violates the provisions of the GDPR or the Hungarian Information Act (Infotv.), or considers the way the data controller handles their personal data to be objectionable, it is recommended that they first contact the data controller with their complaint. Every complaint will be investigated.
az AVL-ZalaZONE Próbapálya Korlátolt Felelősségű Társaság
(abbreviated company name: AVLZalaZONE Kft).;
reg. seat: 8900 Zalaegerszeg, ZalaZONE tér 1.;
company reg. number: 20 09 076755;
tax number: 27102947-2-20;
rep. by: Hamar Zoltán Managing Director
E-mail address: info@avlzalazone.com
Phone number: +36 30 354 5289
Your request will be investigated within one month. This deadline may be extended by an additional two months, taking into account the complexity of the case.
If, despite your complaint, you continue to object to the way the data controller handles your personal data, or if you wish to contact the authority directly, you may file a report with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9–11., mailing address: 1363 Budapest, Pf.: 9. Email: ugyfelszolgalat@naih.hu, website: www.naih.hu).
You also have the option to take legal action to protect your personal data. The court will proceed with the case as a matter of priority. In this case, you may freely choose whether to submit your claim to the court of your permanent residence or the court of your temporary residence (http://birosag.hu/torvenyszekek).
You can locate the relevant court based on your residence at the following link:
https://birosag.hu/birosag-kereso
5. Other provisions
No automated decision-making or profiling takes place during the processing of personal data as described in this Data Processing Notice. The Data Controller reserves the right to
unilaterally amend this notice with future effect. Data subjects will be informed of any changes via the Data Controller’s website.
Budapest, 2 September 2025.
PRIVACY POLICY
Data Processing Information of AVL-ZalaZONE Kft.
1. Name and Address of the Data Controller
AVL-ZalaZONE Próbapálya Korlátolt Felelősségű Társaság
(abbreviated company name: AVLZalaZONE Kft).;
seat: 8900 Zalaegerszeg, ZalaZONE tér 1.;
company registration number: 20 09 076755;
tax number: 27102947-2-20;
represented by: Hamar Zoltán Managing Director
E-mail address: info@avlzalazone.com
Phone: +36 30 354 5289
2. Titles of Data Processing Activities and Key Information Related to Each Processing Operation
2.1.
|
Data Processing Carried Out During Communication with the Data Controller
|
|
|
Purpose of Data Processing: |
Communication |
|
Legal Basis for Data Processing: |
Point (f) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR): processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The necessity of data processing is justified by the following: The Data Controller has a legitimate interest in maintaining up-to-date communication with its clients, business and cooperation partners, and all individuals who contact the organization (including prospective clients). This includes providing information about the Data Controller’s activities, operations, current and personalized offers, and any content deemed informative for the partner. Furthermore, the goal is to facilitate professional communication and establish business, professional, employment, and representational relationships between clients, prospective clients, interested parties, and collaborators. To serve this interest, it is necessary to process the names and contact details of the Data Controller’s cooperating partners, clients, prospective clients, and interested parties (contact persons). (The legitimate interest assessment related to this processing is available at the Data Controller.) Please note that the data subject has the right to object, at any time and on grounds relating to their particular situation, to the processing of their personal data based on point (f) of Article 6(1) of the GDPR. |
|
Data Subjects and Categories of Data Subjects: |
|
|
List of Processed Personal Data: |
|
|
Retention Period of Processed Personal Data and Criteria for Determining Such Period: |
Upon termination of contact with the data subject, the personal data shall be deleted without delay, but no later than 3 years. |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.2.
|
Data Processing by the Data Controller in Connection with the Sending of Newsletters |
|
|
Purpose of Data Processing: |
Sending newsletters about the activities of the Data Controller. |
|
Legal Basis for Data Processing: |
Point (a) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR):
The data subject has given consent to the processing of their personal data for one or more specific purposes
Please note that, pursuant to Article 7(3) of the GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically via email using (the contact details provided in Section 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who subscribe to the newsletter function on the Data Controller’s website. |
|
List of Processed Personal Data: |
name, email address. The source of the processed personal data is the data subject. |
|
The retention period of the processed personal data, and the criteria for determining this period: |
Until the withdrawal of consent |
|
Source of the collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.3.
|
Data Processing on the Data Controller’s Website During Message Submission |
|
|
Purpose of Data Processing: |
Maintaining communication, sending and receiving messages |
|
Legal Basis for Data Processing: |
Point (a) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR):
The data subject has given consent to the processing of their personal data for one or more specific purposes
Please note that, pursuant to Article 7(3) of the GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically via email (using the contact details provided in Section 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who send messages to the Data Controller via the Data Controller’s website. |
|
List of Processed Personal Data: |
The source of the processed personal data is the data subject. |
|
Retention Period and Criteria for Determination: |
Until the withdrawal of consent. |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.4.
|
Data Processing Related to the Use of Cookies on the Data Controller’s Website |
|
|
Purpose of Data Processing: |
Processing of user data related to the use of the Data Controller’s website operated with content defined by the Data Controller. Collection of information regarding how visitors use the Data Controller’s website. |
|
Legal Basis for Data Processing:
|
Point (a) of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
Please note that, pursuant to Article 7(3) of the GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically via email. (using the contact details provided in Section 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who visit the Data Controller’s website |
|
List of Processed Personal Data: |
A www.avlzalazone.com weboldal a weboldal működésével kapcsolatban úgynevezett cookie-kat használ. A cookie egy betűkből és számokból álló információs csomag, amelyet a weboldal küld az Ön böngészőjének, hogy elmentsen bizonyos beállításait, megkönnyítse a weboldal használatát és hozzájáruljon bizonyos releváns, statisztikai információk gyűjtéséhez.
Types of Cookies Used: Cookies may be either “persistent” or “session” cookies. A persistent cookie is stored by the browser for a certain period of time, provided that the user has not deleted it earlier, whereas a session cookie is not stored by the browser and is automatically deleted when the browser is closed. Strictly necessary cookies are essential for the use of the website and enable the use of its basic functions. Without these cookies, many features of the website will not be available to you. Cookies that improve the user experience collect information about how users interact with the website, such as which pages are visited most frequently or what error messages are received from the website. Cookies do not collect information that identifies the visitor, meaning they work with entirely general data that is not linked to the identification of the data subject. The information obtained from these cookies is used to improve the performance of the website and to compile anonymous statistics. Disabling cookies: If you do not consent to the placement of cookies, you can disable or withdraw your consent through your browser settings. In this case, certain services may be restricted or unavailable. For more information on deleting cookies via your browser, please refer to the following links: Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-managecookies# ie = ie-11
Firefox: https://support.mozilla.org/en/kb/sutik-informacio-which-websites-shares Chrome: https://support.google.com/chrome/answer/95647?hl=en_US |
|
Retention Period and Criteria for Determination: |
Until the withdrawal of consent. |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
-
|
|
Data Processor: |
- |
|
Data Transfers to Third Countries or International Organizations: |
- |
2.5.
|
Data Processing During Registration on the Data Controller’s Website |
|
|
Purpose of Data Processing: |
Registration, Contact, Sending Information |
|
Legal Basis of Data Processing: |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), Article 6(1)(a):
the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Data subjects are hereby informed that, pursuant to Article 7(3) of the GDPR, they have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Data subjects must be informed of this prior to giving consent. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically, including via email (using the contact details specified in point 1.) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who register on the Data Controller’s website |
|
List of Processed Personal Data: |
The source of the processed personal data is the data subject. |
|
Duration of Retention of Processed Personal Data and Criteria for Determining This Period: |
Until the withdrawal of consent |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Data Transfer to Third Countries or International Organizations: |
- |
2.6.
|
Data Processing During Booking via the Controller’s Website |
|
|
Purpose of Data Processing: |
online booking
Through the Company’s website, users have the opportunity to submit a booking request, which qualifies as a service order. This enables users to access and utilize the services provided by the Company. |
|
Legal Basis of Data Processing: |
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), Article 6(1)(b) provides that: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who register on the Data Controller’s website |
|
List of Processed Personal Data: |
The Company necessarily processes the following data: the company name, registered office address, tax identification number, telephone number, bank account number, email address, fax number, the name of the contact person, the direct telephone number of the contact person, the email address of the contact person, fax number, the email address of the contact person, the name of the financial contact person, the telephone number of the financial contact person, the direct email address of the financial contact person, and the billing address. The source of the personal data processed is the data subject. |
|
Duration of Retention of Processed Personal Data and Criteria for Determining This Period |
5 years in the case of invoice issuance 8 years |
|
Source of Collected Personal Data: |
Directly from the data subject. |
|
Recipient: |
- |
|
Data Processor: |
- |
|
Transfer of Personal Data to Third Countries or International Organizations: |
- |
2.7.
|
Data Processing During Invoice Issuance |
|
|
Purpose of Data Processing: |
Issuance of Invoices in Connection with Services Provided by the Data Controller |
|
Legal Basis of Data Processing: |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), Article 6(1)(c): compliance with a legal obligation The mandatory content of an invoice is governed by Section 169 of Act CXXVII of 2007 on Value Added Tax (VAT Act). |
|
Data Subjects and Categories of Data Subjects: |
Natural persons who use the services provided by the Data Controller and, where applicable, those authorized to receive invoices. |
|
List of Processed Personal Data: |
Personal data specified in Section 169 of Act CXXVII of 2007 on Value Added Tax (VAT Act)
169. § The invoice must contain the following data: a. the date of issue of the invoice; b. the serial number of the invoice, which uniquely identifies the invoice; c. the tax identification number of the supplier of goods or provider of services under which the supply was made; d. the tax identification number of the purchaser of goods or recipient of services: da) under which the supply was made to the taxable person; db) under which the supply defined in Section 89 was made; dc) the first eight digits of the tax number or group VAT identification number, if the purchaser is a domestic taxable person and the supplier is established or resident in Hungary for economic purposes; e. the name and address of the supplier and the purchaser; f. the name and quantity of the supplied goods (using the customs tariff number – VTSZ – if applicable), or the name and quantity of the provided services (using the TESZOR’15 code if applicable), expressed in natural units; g. the date of supply, if different from the date of invoice issuance, as per Section 163 (1) a) and b); h. the phrase “cash accounting” if special taxation rules under Chapter XIII/A apply; i. the taxable amount, the unit price excluding VAT, and any discounts not included in the unit price; j. the applicable VAT rate; k. the amount of VAT charged, unless excluded by law; l. the phrase “self-billing” if the invoice is issued by the purchaser or recipient; m. in case of VAT exemption, a reference to the legal provision or the relevant EU directive, or any clear indication that the supply is exempt from VAT; n. the phrase “reverse charge” if the purchaser or recipient is liable to pay VAT; o. in case of supply of a new means of transport under Section 89, the data defined in Section 259 point 25; p. the phrase “margin scheme – travel agencies” if the special rules under Chapter XV apply; q. the appropriate phrase from “margin scheme – second-hand goods”, “margin scheme – works of art”, or “margin scheme – collectors’ items and antiques” if the special rules under Chapter XVI apply; r. if a fiscal representative is used, their name, address, and tax identification number. |
|
The retention period of the processed Personal Data and the criteria for determining this period: |
Pursuant to Section 169 (2) of Act C of 2000 on Accounting, records must be retained for 8 years |
|
Source of the Collected Personal Data: |
The personal data are obtained from the Data Controller, except for the data subject’s name and tax identification number, which are provided directly by the data subject. |
|
Recipient: |
Data transfer occurs in cases where the National Tax and Customs Administration conducts an inspection. |
|
Data processor: |
PricewaterhouseCoopers Hungary Limited Liability Company
AVL Hungary Limited Liability Company
|
|
Data Transfer to Third Countries or International Organizations: |
does not happen |
2.8.
|
Processing of personal data during the recording, use, and publication of image and audio recordings at events, test drives, and trainings |
|
|
Purpose of Data Processing: |
Recording, use, and publication of image and audio recordings at events, test drives, and trainings organized by the Data Controller on the Data Controller’s communication platforms for the purpose of providing authentic, fast, and accurate information, as well as promoting the activities and events of the Data Controller. |
|
Legal Basis of Data Processing: |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Article 6(1)(a) of the GDPR:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
In the case of special categories of personal data, Article 9(2)(a) of the GDPR applies: explicit consent of the data subject
Please note that under Article 7(3) of the GDPR, the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of this right. The withdrawal of consent must be made as easy as giving it. Consent may be withdrawn verbally, in writing, or electronically, including via email. (via the contact details specified in point 1) |
|
Data Subjects and Categories of Data Subjects: |
Natural persons appearing in photographs or video recordings taken at events or test drives organized by the Data Controller, and in the case of minors, their legal representative. |
|
List of Processed Personal Data: |
Image and audio recordings: the data subject’s likeness, physical physiological characteristics, movement, activity, voice, and spoken content. The source of the processed personal data is the data subject. |
|
Retention period of the processed personal data and the criteria for determining this period: |
Until the withdrawal of consent, but no longer than 3 years |
|
Source of the processed personal data: |
Directly from the data subject. |
|
Recipient: |
Meta Platforms Ireland Limited ATTN: Privacy Operations Merrion Road Dublin 4 D04 X2K5, Ireland (Facebook, Instagram)
Google Ireland Limited Gordon House, Barrow Street LinkedinLinkedIn Ireland Unlimited Company D02 HR68 |
|
Data Processor: |
- |
|
Data Transfer to Third Countries or International Organizations: |
does not happen |
2.9.
|
Processing of personal data during the complaint handling activities of the Data Controller |
|
|
Purpose of Data Processing: |
Handling of complaints submitted to the Data Controller |
|
Legal Basis of Data Processing: |
Article 6(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC: compliance with a legal obligation, and pursuant to Section 17/A of Act CLV of 1997 on Consumer Protection (Fgytv.) (2) The consumer may submit a complaint to the business either verbally or in writing. (3) A verbal complaint must be investigated immediately and remedied as necessary. If the consumer disagrees with the handling of the complaint, or if immediate investigation is not possible, the business is obliged to promptly record the complaint and its position regarding it in a written report, and provide a copy of the report: a) in the case of a verbal complaint made in person, hand it over to the consumer on the spot, b) in the case of a verbal complaint made via telephone or other electronic communication service, send it to the consumer no later than together with the substantive response referred to in paragraph (6); in all other cases, the business must proceed according to the provisions applicable to written complaints as set out in paragraph (6). (4) A verbal complaint made via telephone or other electronic communication service must be assigned a unique identification number by the business. (5) The written report (minutes) of the complaint must include the following: a) the consumer’s name and address, b) the place, time, and method of submitting the complaint, c) a detailed description of the consumer’s complaint, and a list of documents, records, and other evidence presented by the consumer, d) the business’s statement regarding its position on the consumer’s complaint, if immediate investigation is possible, e) the name of the person recording the minutes and – except in the case of verbal complaints made via telephone or other electronic communication service – the consumer’s signature, f) the place and time of recording the minutes, g) in the case of verbal complaints made via telephone or other electronic communication service, the unique identification number of the complaint. |
|
Data subjects and categories of data subjects: |
Natural persons submitting a complaint to the Data Controller, and employees acting on behalf of the Data Controller. |
|
List of processed personal data: |
|
|
Retention period of the processed personal data and the criteria for determining this period: |
According to Section 17/A (7) of Act CLV of 1997 on Consumer Protection (Fgytv.), the business is required to retain the minutes recorded about the complaint and a copy of the response for a period of three years, and must present them to the supervisory authorities upon request. |
|
Source of the processed personal data: |
Directly from the data subject, except in the case of points d) and g): the Data Controller. |
|
Recipient: |
Pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection (Fgytv.), the supervisory authorities |
|
Data Processor: |
- |
|
Data Transfer to Third Countries or International Organizations: |
does not happen |
3. General Description of Data Security Measures
The Data Controller places great emphasis on ensuring the appropriate physical and IT protection of your data when developing the technical, procedural, and organizational (administrative) rules for data processing operations. The primary objective of the implemented measures is to prevent and avoid unauthorized access to the processed data, as well as unauthorized alteration, transmission, disclosure, deletion, or damage of such data. The Data Controller selects the tools and measures used during data processing accordingly. Furthermore, the Data Controller ensures that only authorized individuals have access to the processed data, and that the authenticity and integrity of the data are maintained.
The operator of the IT system shall use all available means to:
a) ensure the continuous confidentiality, integrity, availability, and resilience of systems and services used for processing personal data;
b) guarantee that, in the event of a physical or technical incident, access to personal data and the availability of such data can be restored in a timely manner;
c) manage access rights to the IT system;
d) ensure that each user may only perform operations corresponding to their level of authorization;
e) implement and operate the security requirements applicable to the IT system.
Among multiple possible data processing solutions, the Data Controller shall select the one that provides a higher level of protection for personal data, based on a risk assessment—unless doing so would impose a disproportionate burden.
The Data Controller’s IT system must be capable, using available resources, of ensuring the physical and logical security measures necessary to protect data from unauthorized access, alteration, transmission, disclosure, deletion, destruction, accidental damage, or loss.
More detailed information may be requested from the Data Controller.
4. Guarantee of Data Subject Rights
In connection with data processing, the data subject may, at any time, request the following from the data controller:
- access to the personal data processed about them,
- rectification of inaccurate personal data,
- erasure of the processed data,
- restriction of data processing,
- object to data processing [in cases based on Article 6(1)(e) or (f) of the GDPR],
- withdraw their previously given consent (in cases where processing is based on consent),
- exercise the right to data portability [in cases based on Article 6(1)(a) or (b) of the GDPR],
- in case of perceived unlawful data processing, lodge a complaint with a supervisory authority or initiate legal proceedings.
4.1. The data subject may exercise their right of access under Article 15 of the GDPR as follows:
The data subject shall have the right to obtain confirmation from the data controller as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject;
• where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
The data subject shall have the right to obtain a copy of the personal data undergoing processing — without prejudice to the rights and freedoms of others — free of charge for the first copy. The data controller shall provide the copy of the personal data subject to processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic format, unless otherwise requested by the data subject.
The right to obtain a copy shall not adversely affect the rights and freedoms of others.
4.2. The data subject may exercise their right to rectification under Article 16 of the GDPR as follows
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay upon request.
Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data — including by means of providing a supplementary statement.
4.3. The data subject may exercise their right to erasure under Article 17 of the GDPR as follows
The data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay upon request, and the controller shall be obliged to erase such personal data without undue delay where one of the following grounds applies:
– The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
– The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
– The personal data have been unlawfully processed;
– The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
– The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
The above shall not apply to the extent that processing is necessary:
– For exercising the right of freedom of expression and information;
– For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) and Article 9(3) of the GDPR;
– For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
– For the establishment, exercise or defence of legal claims.
4.4. The data subject may exercise their right to restriction of processing under Article 18 of the GDPR as follows:
The data subject shall have the right to obtain from the controller the restriction of processing where one of the following applies:
– The accuracy of the personal data is contested by the data subject, in which case processing shall be restricted for a period enabling the controller to verify the accuracy of the personal data;
– The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– The controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defence of legal claims; or
– The data subject has objected to processing pursuant to Article 21(1) of the GDPR, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing is subject to restriction, such personal data may, with the exception of storage, only be processed with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
The controller shall inform the data subject, at whose request the processing has been restricted, in advance of the lifting of the restriction of processing.
4.5. Joint Notification Rules
The data controller shall inform all recipients to whom personal data have been disclosed of any rectification, erasure, or restriction of processing carried out pursuant to Article 16, Article 17(1), and Article 18 of the GDPR, unless this proves impossible or involves disproportionate effort. Upon request, the data controller shall inform the data subject about such recipients.
The data controller shall provide information to the data subject without undue delay, and in any case within one month of receipt of the request, regarding the actions taken in response to a request under Articles 15 to 22 of the GDPR. Where necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The data controller shall inform the data subject of any such extension within one month of receiving the request, stating the reasons for the delay. If the data subject submitted the request electronically, the response shall be provided electronically where possible, unless the data subject requests otherwise.
4.6. Right to object
The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on Article 6(1)(e) or Article 6(1)(f) of the GDPR, including profiling based on those provisions.
In such cases, the data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.
4.7. Right to Data Portability
The data subject shall have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and shall have the right to transmit those data to another data controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b); and
- the processing is carried out by automated means.
In exercising the right to data portability as described above, the data subject shall have the right — where technically feasible — to request the direct transmission of personal data from one controller to another.
The exercise of this right shall not adversely affect the rights and freedoms of others, nor shall it infringe Article 17 of the GDPR. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
4.8. Automated Decision-Making in Individual Cases, Including Profiling
The data subject has the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them.
This provision does not apply if the decision:
• is necessary for entering into or performing a contract between the data subject and the data controller;
• is authorized by Union or Member State law applicable to the data controller, which also lays down appropriate measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or
• is based on the data subject’s explicit consent.
4.9. Dispute Resolution and Legal Remedies
If the data subject believes that the data processing violates the provisions of the GDPR or the Hungarian Information Act (Infotv.), or considers the way the data controller handles their personal data to be objectionable, it is recommended that they first contact the data controller with their complaint. Every complaint will be investigated.
az AVL-ZalaZONE Próbapálya Korlátolt Felelősségű Társaság
(abbreviated company name: AVLZalaZONE Kft).;
reg. seat: 8900 Zalaegerszeg, ZalaZONE tér 1.;
company reg. number: 20 09 076755;
tax number: 27102947-2-20;
rep. by: Hamar Zoltán Managing Director
E-mail address: info@avlzalazone.com
Phone number: +36 30 354 5289
Your request will be investigated within one month. This deadline may be extended by an additional two months, taking into account the complexity of the case.
If, despite your complaint, you continue to object to the way the data controller handles your personal data, or if you wish to contact the authority directly, you may file a report with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9–11., mailing address: 1363 Budapest, Pf.: 9. Email: ugyfelszolgalat@naih.hu, website: www.naih.hu).
You also have the option to take legal action to protect your personal data. The court will proceed with the case as a matter of priority. In this case, you may freely choose whether to submit your claim to the court of your permanent residence or the court of your temporary residence (http://birosag.hu/torvenyszekek).
You can locate the relevant court based on your residence at the following link:
https://birosag.hu/birosag-kereso
5. Other provisions
No automated decision-making or profiling takes place during the processing of personal data as described in this Data Processing Notice. The Data Controller reserves the right to
unilaterally amend this notice with future effect. Data subjects will be informed of any changes via the Data Controller’s website.
Budapest, 2 September 2025.