Data processing information related to Newsletter menu

Mammut Management Kft., as the beneficiary of the www.mammut.hu website acts as controller in respect of the personal data related to this website. If you visit this website and communicate with Mammut Management Kft. by using the “Newsletter” menu at www.mammut.hu/kapcsolat, and sign up for our newsletters, your personal data will be processed. We give you the following information about the processing of your personal data.

1. Data of the Controller

   Company name:	Mammut Management Kft.
   Registered seat:	1024 Budapest, Lövőház utca 2-6., Hungary
   Registration number:	01 09 304362

   hereinafter the Controller or Mammut Kft.

   Regulation (EU) 2016/679 of the European Parliament and of the Council is about the protection of natural persons with regard to the processing of personal data and on the free movement of such data.¹

   Act V of 2013 on the Civil Code;
   Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter the Info Act);
   Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society (hereinafter the ECSI Act);
   Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter the CAA Act);
   Act VI of 1998 on the ratification of Strasbourg Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data

2. Data to be Processed

   If you sign up for the newsletters of Mammut Management Kft at the “Newsletter” menu on our website, your personal data to be processed include:

   • name (given name, surname)
   • email address.

   On this website, all visitors can sign up for the Controller’s newsletter by their own data. The Controller cannot check the accuracy of the personal data given when signing up, nor the visitor’s personal identity. Please note that the use of the personal data of another person may entail civil and criminal liability.

   In order to avoid false signing up, after receiving a request to sign up, the Controller sends an email message with a confirmation link to the email address given. The request to sign up for our newsletter can be finalized by clicking on the confirmation link. If you do not finalize your request to sign up for our newsletters within 5 days after the sending of the confirmation link, the Controller will delete your data provided earlier.

3. Legal basis and purpose of data processing

   If you sign up for the Controller’s newsletters as explained above, the legal basis for data processing will be your consent given after your preliminary information.

   Purposes of the processing;

   • your identification, availability of data necessary for communicating with you;
   • development of a database/registry of the data of those signing up for the newsletters, ²development of effective direct marketing activities, and compliance with the requirements set forth in section 6(5) of the CAA Act;
   • giving you general or customized information about the latest campaigns, events or news of the Controller and its tenants (retail units in Mammut I and II shopping centers);
   • notification about changes in or termination of services of the Controller or its tenants (retail units in Mammut I and II shopping centers);
   • Promotion of and furthering the purchase of the services and goods of the Controller or its tenants (retail units in Mammut I and II shopping centers).

   Information about the current campaigns and news of the Controller’s tenants are collected by the Controller and forwarded by same to the newsletter subscribers; therefore, the personal data of the subscribers can only be accessed by the Controller’s customer service/information and marketing managers and other agents involved in such tasks, but not by the Controller’s tenants. Personal data given when subscribing to newsletters are only processed for the above purposes by the Controller.

   The data of newsletter subscribers and the data of the database created from these will not be used by the Controller to evaluate personal characteristics (e.g. customer preferences) or for profiling.

4. Period of processing

   The Controller will process your personal data until the withdrawal of your consent.

   Please note that you can withdraw your consent at any time by a request to the Controller as follows:

   • by clicking the “unsubscribe” link at the bottom of the newsletter received, which is the simplest method
   • in person at the Controller’s address: 1024 Budapest, Lövőház utca 2-6., Hungary, or at
   • by email sent to: mammut@mammut.hu

   After the withdrawal of your consent, the Controller shall immediately delete all your data. The withdrawal of consent does not affect the legitimacy of data processing performed previously based on your consent.

   If you do not confirm/finalize your subscription by clicking on the subscription confirmation link within 5 days of receiving the Controller’s relevant email, the Controller shall delete your data provided earlier.

5. Cases of transfer and forwarding of processed personal data

   1. For the operation of its website at www.mammut.hu, the Controller uses the services of a contracted partner (processor) which operates the website by using its own hosting, and the data generated during use are stored on the devices of this partner. For the design and implementation of its marketing activities, the Controller uses a third-party provider (contracted partner) as processor, which participates in managing some of the Controller’s marketing campaigns. Within the framework of this, the data of the newsletter subscribers are forwarded to the service provider which may only use such data for the intended purpose, for sending newsletters about the Controller’s business activity, campaigns and promotions. The processor may not independently process the personal data forwarded to it. Processor’s data:

      Company name:	LUMISYS Kft.
      Registered seat:	1011 Budapest, Hunyadi János út 5. 1. em. 12., Hungary
      Contact details:	Telephone: +36 1 612 5532

   2. To send newsletters, the Controller uses the MailChimp newsletter sending and database management services; as part of this, the data of newsletter subscribers are also stored on the servers of the third-party provider as processor to enable sending. Data of the third-party provider:

      Company name:	The Rocket Science Group LLC
      Registered seat:	675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308
      Contact details:	legal@mailchimp.com

      The Rocket Science Group LLC. is a registered member of the privacy shield treaty signed by the United States of America and the European Commission, so the data forwarded to it is assumed to be covered by the same level of protection as in the EU and as such, it is not subject to any further conditions.

   3. In addition to the above, in cases defined by law the Controller is entitled and obliged to forward your personal data processed by it to the competent regulatory authorities or to the body authorized to proceed, in order to enforce legal claims.

      Apart from the above, the Controller may not forward the personal data processed by it to any third party.

6. Protection of processed personal data

   When elaborating the technical and procedural rules of processing operations, the Controller lays a great emphasis on ensuring proper physical and information technology protection for your data. The applied measures are primarily intended to avoid and prevent unauthorized access to, unauthorized alteration, forwarding, disclosure, deletion of or damage to the processed data. The Controller selects the means and measures used in processing in view of this. Further, the Controller ensures that only authorized persons may access the processed data and the authenticity of the processed data and that they are not altered.

7. Data subject’s rights related to processing

   In relation to the processing of your personal data by the Controller, you are entitled to:

   • receive proper and transparent information, including feedback from the Controller whether your personal data are being processed;
   • ask to correct your incorrect personal data;
   • ask to delete your processed personal data if processing is exclusively based on your consent or if the data are no longer needed for the purpose of their collection or if processing is illegitimate;
   • exercise your right to data portability, in other words, to receive your personal data in a widely used machine-readable form, forward or ask to forward them to other controllers, provided that processing is automatized and is based on contract or consent, further, that exercising such rights does not prejudice the legitimate rights or freedoms of others;
   • ask to limit the processing of your personal data (for example, in cases where the accuracy of your processed data is disputed or processing may be illegitimate until the clarification of such circumstances);
   • protest against the processing of your personal data (for example, when processing is based on the enforcement of the legitimate interests of the controller or a third party), further, to withdraw your consent at any time,
   • to turn to the supervisory authorities or courts in case of processing thought to be illegitimate.

   Data subjects’ rights

   1. access to personal data: the data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to access the following information:

      • categories of processed personal data,
      • purposes of the processing,
      • recipients to whom your personal data has been or will be disclosed,
      • envisaged period for which the personal data will be stored, or the criteria used to determine the period,
      • the source of the data if not collected from the data subject,
      • rights to turn to the supervisory authority (complaint),
      • if automated decision-making or profiling is performed during processing, its fact, logic, or expected consequences to you.

   2. right to correct: the data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her, or to have incomplete data completed, including by means of providing a supplementary statement.

   3. right to delete personal data: the data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay if:

      • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or
      • the data subject withdraws consent, and where there is no other legal ground for the processing; or
      • the data subject objects to the processing and there are no overriding legitimate grounds for the processing; or
      • the personal data have been unlawfully processed; or
      • the personal data have to be erased for compliance with a legal obligation to which the Controller is subject;
      • the collection of personal data is needed in relation to the offer of information society services (e.g. on-line marketing, online gambling).

      There could be important reasons and interests that enable the processing of the data subject’s data even if he or she has protested against it (such as exercising the right of the freedom of expression and information, or if needed for the submission, enforcement or protection of legal claims).

   4. Right to restriction of processing: The data subject shall have the right to obtain from the Controller restriction of processing if:

      • the accuracy of the personal data is contested by the subject (in this case, limitation is for a period enabling the Controller to verify the accuracy of the personal data); or
      • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or
      • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
      • the data subject has objected to processing (in this case, restriction applies until it is verified whether the legitimate grounds of the Controller override those of the data subject);

      During the limitation period, no processing other than data storage can be performed, except for cases of important public interest or the protection of the rights of persons.

   5. Right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. The subject shall have this right of processing based on his or her consent or on a contract, and is automated. The exercising of this right shall not adversely affect the rights and freedoms of others.

   6. Right to protest: if processing is based on legitimate interest to be enforced by the controller, the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. In such cases, the Controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

   Please note that if your personal data are processed for direct marketing purposes (e.g. for sending newsletters), you are entitled to protest against such processing of your data at any time, free of charge. In such cases, the Controller is obliged to promptly terminate processing for such purpose and properly respond to your protest within a maximum of 15 days. The simplest way to exercise your right to protest is to send an email to the Controller at mammut@mammut.hu. Or you can submit a protest in person at the Controller’s address: 1024 Budapest, Lövőház utca 2-6., Hungary

8. Right to judicial remedy

   If you believe that your rights have been injured by the processing of your personal data by the Controller, and your questions and comments regarding this have not been answered or have not been answered in time or properly, you are entitled to lodge a complaint to the competent supervisory authority.

   Data of the competent supervisory authority:

   Name:	Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) [National Authority for Data Protection and Freedom]
   Address:	1125. Budapest, Szilágyi Erzsébet fasor 22c, Hungary
   e-mail:	ugyfelszolgalat@naih.hu
   Telephone:	+36 1 391 1400

   Further, you are entitled to turn to the courts with jurisdiction at your residence if you believe that the Controller processes your personal data in violation of the provisions of the relevant laws or the compulsory legal act of the European Union.

   If you plan to turn to the supervisory authority or court, please first contact the Controller as it is in possession of the information necessary to respond to your questions or request for judicial remedy.

   Our company is committed to complying with the principles of legitimate, transparent or fair data processing; therefore, in situations considered to violate your rights, we shall take immediate action to clarify any questions and remedy the established violation, and we shall inform you within a maximum of 1 month of the relevant actions taken and answer your questions about processing made to the Controller.