Privacy Notice

PRIVACY NOTICE
ON THE RIGHTS OF THE DATA SUBJECT
REGARDING THE PROCESSING OF THEIR PERSONAL DATA

INTRODUCTION

The Regulation (EU) 2016/679 of the European Parliament and of the Council

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

(hereinafter referred to as the “GDPR Regulation”, “Regulation”, or “General Data Protection Regulation”) requires the Data Controller to take appropriate measures to ensure that all information relating to the processing of personal data is provided to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and that the Data Controller facilitates the exercise of the data subject’s rights.

The obligation to provide prior information to the data subject is also required by Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. With the information provided below, we fulfil our obligations under these legal provisions.

Why was this Privacy Notice created?

During its operations, the Data Controller processes personal data for various purposes and aims to do so in full compliance with legal obligations and with respect for the rights of the data subjects. The Data Controller also considers it important to inform the data subjects about the processing of the personal data that comes to its knowledge in the course of its data processing activities, as well as to present the main characteristics of such processing.

On what basis is the processing of personal data carried out?

Personal data is processed only for specific purposes and on an appropriate legal basis. These purposes and legal bases are described individually for each specific data processing activity.

What external assistance is used in the processing of your personal data?

Personal data is mostly processed by the Data Controller at its own premises. However, there are certain operations for which the Data Controller uses external assistance, engaging a data processor. The identity of the data processor may vary depending on the specific characteristics of each data processing activity.

Who processes your personal data?

In Chapter II of this Privacy Notice, the Data Subject can find detailed information regarding the data processors engaged by the Data Controller, including their identity and contact details.

What principles does the Data Controller consider important in the processing of your personal data?

The processing of personal data is carried out in accordance with the applicable legal regulations, in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016), known as the General Data Protection Regulation (GDPR).

During its activities, the Data Controller processes only the personal data specified within the scope of individual processing operations. The personal data provided are protected through all necessary and appropriate technical and organizational measures to ensure their security. Special attention is given to maintaining the confidentiality, integrity, and availability of personal data.

The accuracy and authenticity of personal data after their provision by the Data Subject fall under the responsibility of the Data Controller. The terms used in this Privacy Notice are interpreted in accordance with the definitions provided in the Act on the Right of Informational Self-Determination and Freedom of Information and the GDPR Regulation.

I. CHAPTER
IDENTIFICATION OF THE DATA CONTROLLER

The issuer of this Privacy Notice, and at the same time the Data Controller:

NAME: MOBIL-HOMES KFT.

REGISTERED SEAT: 2881 Ászár, Kossuth Lajos u. 44.

COMPANY REGISTRATION NUMBER: 11-09-015286

TAX NUMBER: 14730755-2-11

REPRESENTED BY: Dr. Lunkné Nyuli Márta, Managing Director

E-MAIL: info@mobilehomescentre.com

CONTACT DETAILS: available under the “Contact” menu at https://www.mobilehomescentre.hu/hun/kapcsolat

(hereinafter referred to as the “Data Controller” or the “Company”)

II. CHAPTER
IDENTIFICATION OF DATA PROCESSORS

Data Processor: means a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller. (Regulation, Article 4, Point 8)

The engagement of a data processor does not require the prior consent of the data subject, but information must be provided to them. Accordingly, we provide the following information:

Person responsible for tasks related to camera operation:

COMPANY NAME: MOBIL-HOMES KFT.

REGISTERED SEAT: 2881 Ászár, Kossuth Lajos u. 44.

TAX NUMBER: 14730755-2-11

COMPANY REGISTRATION NUMBER: 11-09-015286

WEBSITE: https://www.mobilehomescentre.hu

Data Processor Providing Invoicing Services:

COMPANY NAME: Billingo Technologies Private Company Limited by Shares

REGISTERED SEAT: 1133 Budapest, Árbóc utca 6., 1st floor

TAX NUMBER: 27926309-2-41

COMPANY REGISTRATION NUMBER: 01-10-140802

WEBSITE: https://www.billingo.hu/

Hosting Service Provider:

COMPANY NAME: fws online Private Company Limited by Shares

REGISTERED SEAT: 9444 Fertőszentmiklós, Petőfi u. 44.

TAX NUMBER: 32180840-2-08

COMPANY REGISTRATION NUMBER: 08-09-015591

WEBSITE: https://www.fws.hu/

Data Processor Providing Transport Services:

NAME: T.S.L Damian Iwula

REGISTERED SEAT: Bródek 43, 22-437 Łabunie, Poland

TAX NUMBER: 9222892191

Other Recipients:

COMPANY NAME: Google LLC

REGISTERED SEAT: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

(Organization listed in the DPF – Data Privacy Framework)

WEBSITE: https://www.google.com/

COMPANY NAME: Meta Platforms, Inc.

REGISTERED SEAT: 1601 Willow Road, Menlo Park, CA 94025, USA

(Organization listed in the DPF – Data Privacy Framework)

WEBSITE: https://www.facebook.com/

COMPANY NAME: Microsoft Corporation

REGISTERED SEAT: One Microsoft Way, Redmond, Washington, USA

(Organization listed in the DPF – Data Privacy Framework)

WEBSITE: https://www.microsoft.com/

In cases where this Privacy Notice generally refers to the transfer of data to the Company’s data processors, such references shall also be understood to include the transfer of data to the above-mentioned recipients.

III. CHAPTER
ENSURING THE LAWFULNESS OF DATA PROCESSING

1. Data Processing Based on the Consent of the Data Subject

1.1. If the Company intends to carry out data processing based on consent, the data subject’s consent to the processing of their personal data must be requested using the data request form and the information content specified in the Data Processing Policy.

1.2. Consent shall also be deemed to have been given if the data subject, while viewing the Company’s website, checks a relevant box, performs specific technical settings related to the use of information society services, or makes any other statement or action which clearly indicates, in the given context, the data subject’s consent to the intended processing of their personal data.

Silence, pre-ticked boxes, or inactivity shall therefore not constitute consent.

1.3. Consent covers all data processing activities carried out for the same purpose or purposes. If data processing serves multiple purposes simultaneously, consent must be given for all such purposes.

1.4. If the data subject gives consent by means of a written statement that also relates to other matters—such as entering into a sales or service contract—the request for consent must be presented in a manner clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration containing the data subject’s consent that infringes the Regulation shall not be binding.

1.5. The Company may not make the conclusion or performance of a contract conditional on the granting of consent to the processing of personal data that are not necessary for the performance of the contract.

1.6. The withdrawal of consent must be made as easy as giving it. The data subject may withdraw their consent at any time by sending an email to the address provided in Chapter I.

1.7. If the data subject withdraws their consent, the Data Controller may no longer process their data. Upon withdrawal of consent, the Data Controller must ensure the deletion of the data, unless another legal basis permits further processing (e.g., storage requirements or the necessity for contract performance). If the data processing was carried out for multiple purposes, the Data Controller may no longer use the personal data for the purpose for which the data subject has withdrawn consent.

2. Data Processing Based on Legal Obligation

2.1. In the case of data processing based on a legal obligation, the scope of the data that may be processed, the purpose of the processing, the duration of data storage, and the recipients of the data are determined by the provisions of the applicable legal regulation forming the basis of the processing.

2.2. Data processing based on the legal ground of fulfilling a legal obligation is independent of the data subject’s consent, as such processing is defined by law. Before the processing begins, the data subject must be informed that the processing is mandatory, and must be clearly and comprehensively informed—prior to the commencement of processing—of all relevant facts concerning the handling of their data, particularly the purpose and legal basis of the processing, the identity of those authorized to carry out the processing and data handling, the duration of the processing, whether their personal data are being processed on the basis of a legal obligation, and who may have access to the data.

This information must also include the data subject’s rights related to data processing and the available remedies. In the case of mandatory data processing, the notification may also be fulfilled by publishing a reference to the relevant legal provisions containing the above information.

3. Data Processing Based on Legitimate Interest

3.1. The legitimate interests of the Company or a third party may serve as a lawful basis for data processing, provided that the interests, fundamental rights, and freedoms of the data subject do not override those interests. The reasonable expectations of the data subject, based on their relationship with the data controller, must be taken into account; therefore, the processing of personal data for purposes of communication or even for direct marketing may also be considered to be based on legitimate interest.

3.2. Data processing based on legitimate interest requires a balancing test, during which the Company always considers the prevailing circumstances and the situation of both the data controller and the data subjects. For data processing carried out in the Company’s interest, the individually conducted balancing tests concluded that, taking into account the specific conditions described for each processing activity, such data processing is justified with the appropriate safeguards contained in this policy, as the Company could not operate competitively without it. In this context, the emotional impact on data subjects and any interference with their right to privacy are considered proportionate.

4. Data Processing for the Protection of Vital Interests of the Data Subject or Another Natural Person

4.1. The protection of the vital interests of the data subject or another natural person may also serve as a lawful basis for data processing, considering that the right to data protection is fundamental but not absolute, and in matters of life or death, the right to life naturally prevails over the right to the protection of personal data.

5. Data Processing Based on Contractual Interest

5.1. Data processing may also be based on contractual interest if it is necessary for the performance of a contract to which the data subject is a party, or to take steps at the data subject’s request prior to entering into a contract.

6. Facilitating the Rights of the Data Subject

6.1. In all data processing activities, the Company is obliged to ensure the exercise of the rights of the data subject.

IV. CHAPTER
INFORMATION ON DATA PROCESSING CONDUCTED BY THE COMPANY

Processing of Personal Data of Natural Persons Concluding a Contract with the Data Controller (including sole proprietors or private individuals issuing invoices)

(1) On the legal basis of contract performance, the Company may process the personal data of natural persons in a contractual relationship with it for the purpose of preparing, concluding, performing, or terminating the contract, providing contractual benefits, and generally supporting economic processes arising from mutual interests.

The Company may process the following data: name, birth name, date of birth, mother’s name, address, tax identification number, tax number, registration number, registered address, business or operational address, telephone number, email address, website address, bank account number, customer number (client ID, order number), and online identifiers (lists of customers, suppliers, loyalty lists).

Such processing is also considered lawful when necessary to take steps at the data subject’s request prior to entering into a contract.

(2) The retention period for personal data, in view of the Company’s long-term business relationships, is 5 years after the termination of the contract.

(3) Recipients of personal data:

Access to personal data is restricted to employees of the Data Controller who participate in the preparation, execution, or storage of the contract. This includes the Company’s executive officers, employees responsible for customer service, contact persons, and data processors — in particular, employees and processors involved in business transactions — as well as authorities authorized by law to conduct inspections.

(4) Personal data may be transferred for processing to third parties such as Magyar Posta (Hungarian Post) or contracted courier services for mailing and delivery purposes, to the Company’s security contractor for asset protection, and to other data processors engaged by the Data Controller.

(5) The processing of personal data is considered lawful if it is necessary within the framework of a contract or an intention to conclude a contract (Recital 44 of the GDPR), or when required to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR). Accordingly, personal data collected in connection with contractual offers may also be processed on the legal basis of contract performance. The Company must inform both the offeror and the recipient of the offer of this at the time of making or receiving the offer.

Data Processing Related to the Issuance of Invoices and the Retention of Accounting Documents Connected to Contracts Concluded by the Data Controller

(1) Purpose of data processing:

To issue invoices in accordance with Act CXXVII of 2007 on Value Added Tax for the purpose of payment for services rendered, and to fulfill the accounting document retention obligations required by law.

(2) Data subjects:

Natural persons who have entered into a contract with the Data Controller, or representatives of persons who have entered into a contract with the Data Controller.

(3) Scope of personal data processed:

Name and address of the natural person.

For sole proprietors: name, registered office, and tax number.

For legal entities: tax number.

(4) Legal basis for data processing:

The processing is necessary for compliance with the legal obligations of the Data Controller.

[GDPR Article 6(1)(c)]

(5) Recipients or categories of recipients of personal data:

The Company’s data processors, in particular employees and processors performing accounting and taxation tasks.

National Tax and Customs Administration of Hungary (NAV).

(6) Retention period for personal data:

In accordance with Section 169(2) of Act C of 2000 on Accounting, personal data shall be retained for 8 years following the issuance of the invoice.

Processing of Personal Data of Natural Persons Acting as Representatives of Legal Entities Contracting with the Data Controller (Signatories to the Contract)

(1) Purpose of data processing:

The purpose of data processing is the establishment of a contract, the exercise of rights and fulfillment of obligations set out in the contract, the enforcement of any civil law claims that may arise during the performance of the contract, as well as the registration and fulfillment of obligations undertaken by the Data Controller.

(2) Data subjects:

Natural persons signing the contract.

(3) Scope of personal data processed:

The following personal data of the signing natural person may be processed:

• name, position (job title),
• email address,
• telephone number,
• mailing address,
• signature specimen.

(4) Legal basis for data processing:

The processing is based on the legitimate interests of the Data Controller, according to the balancing test described below. [GDPR Article 6(1)(f)].

The Data Controller assesses that the processing of personal data of natural persons signing contracts is justified under the legitimate interest specified in Article 6(1)(f) of the GDPR, and that the interests or fundamental rights and freedoms of the data subjects are not infringed in a way that would override the legitimate interests of the Data Controller (the data subjects’ specific interests or fundamental rights and freedoms do not take precedence over the Company’s legitimate interest).

The processing of the signature specimen is necessary for the fulfillment of the Data Controller’s legal obligation. [GDPR Article 6(1)(c)].

Pursuant to Section 3:116(1) of Act V of 2013 of Hungary (the Civil Code), the Data Controller is obliged to process the signature of the contracting partner’s representative.

(5) Recipients or categories of recipients of personal data:

Access to personal data is restricted to the employees of the Data Controller who are involved in the preparation, execution, or storage of the contract.

This includes the Company’s executive officers, employees performing customer service and business liaison tasks, as well as employees engaged in business transactions.

Furthermore, personal data may also be accessed by authorities authorized by law to conduct inspections.

(6) Retention period for personal data: Personal data shall be retained for 5 years following the termination of the contract.

Processing of Personal Data of Natural Persons Designated as Contact Persons (Non-Signatories) in Contracts (Records Maintained by the Data Controller)

(1) Purpose of data processing:

To ensure communication related to the performance or facilitation of performance of the given contract or document, and to maintain the contractual relationship.

(2) Data subjects:

Natural persons designated as contact persons — who are not signatories to the contract.

(3) Scope of personal data processed: The following personal data of the contact person may be processed:

• name, position (job title),
• email address,
• telephone number,
• mailing address.

(4) Legal basis of data processing: The enforcement of the Controller’s legitimate interests based on the following legitimate interest assessment test. [GDPR Article 6 (1) point f)].

The Controller considers that the legal basis for processing the contact details of external partners complies with the legitimate interest specified in Article 6 (1) point f) of the GDPR, and that during the processing, the interests or fundamental rights and freedoms of the Data Subjects are not infringed in such a way as to override the Controller’s legitimate interest (the specific interests or fundamental rights and freedoms of the Data Subject do not take precedence over the Controller’s legitimate interest).

(5) Recipients of personal data and categories of recipients:

Access to personal data is granted only to those employees of the Controller who are involved in the preparation, execution, or storage of the contract. These include the company’s executive officers, employees performing customer service tasks, contact persons, and employees responsible for the company’s business transactions. In addition, access may be granted to authorities or bodies authorized by law to conduct inspections.

(6) Duration of personal data storage: Five 5 years following the termination of the contract.

Sending a message through the Company’s website (contact form)

(1) A natural person sending a message through the website may give their consent to the processing of their personal data by ticking the relevant checkbox. Pre-ticking the checkbox is prohibited.

(2) Scope of personal data that may be processed: The natural person’s name (surname and first name), phone number, e-mail address, place of residence, and message.

(3) Purpose of personal data processing: Requesting information, requesting a quotation, or using a service.

(4) Legal basis of data processing: The data subject’s voluntary consent [GDPR Article 6 (1) point a)]. The voluntary consent may be withdrawn at any time. You are hereby informed that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

(5) Recipients of personal data and categories of recipients: The Company’s employees performing tasks related to customer service and marketing activities, as well as the Company’s data processors acting as data processors.

(6) Duration of personal data storage: Until the withdrawal of the data subject’s consent.

Registration for downloading the catalogue and price list

(1) Purpose of data processing: To provide interested parties with information, price lists, and catalogues regarding the company’s products or services, as well as to maintain contact in this regard and to prepare potential business relationships.

(2) Scope of personal data that may be processed:

• Name
• E-mail address
• Telephone number
• County (region) designation
• Installation location

(4) Legal basis of data processing: The data subject’s voluntary consent [GDPR Article 6 (1) point a)]. The voluntary consent may be withdrawn at any time. You are hereby informed that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

(5) Recipients of personal data and categories of recipients: The Company’s employees performing tasks related to customer service and marketing activities, as well as the Company’s data processors acting as data processors.

(6) Duration of personal data storage: Until the withdrawal of the data subject’s consent.

Data processing related to goods delivery

(1) Purpose of data processing:

The primary purpose of data processing related to goods delivery is to ensure that the product ordered by the customer is delivered to the specified delivery address in the most efficient and convenient way possible. For this purpose, the data provided by the data subject are used exclusively to ensure that the delivery can take place smoothly, in accordance with the data subject’s needs and preferences.

(2) Scope of personal data that may be processed:

• Name
• Delivery address
• E-mail address
• Telephone number
• Characteristics of the products to be delivered
• Date of purchase
• Requested and/or agreed delivery date

(4) Legal basis of data processing: The data subject’s voluntary consent [GDPR Article 6 (1) point a)]. The voluntary consent may be withdrawn at any time. You are hereby informed that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

(5) Recipients of personal data and categories of recipients: The Company’s employees performing tasks related to customer service and delivery activities, as well as the Company’s data processors acting as data processors.

(6) Duration of personal data storage: Until the withdrawal of the data subject’s consent.

Data processing related to social media (Facebook and Instagram)

(1) Influence over data processing by social media operators:

Our Company has only limited influence over the data processing carried out by social media platform operators. Where we are able to influence or configure such processing, we promote data processing practices that comply with data protection requirements within the scope of our available options. However, in most cases we have no control over the operator’s activities and therefore have no information regarding the exact data being processed.

Facebook’s privacy policy can be found at the following link:

https://www.facebook.com/privacy/explanation/

Instagram’s privacy policy can be found at the following link:

https://help.instagram.com/519522125107875

(2) The Controller’s activity on Facebook:

The Controller manages its own page on Facebook. The data subject may subscribe to the news feed published on the Facebook page by clicking the “like” or “follow” button. To contact the Controller through Facebook, the data subject must log in. For this purpose, Facebook also requests, stores, and processes personal data. The Controller has no influence over the type, scope, or processing of these data and does not receive personal data from Facebook’s operator.

The Controller processes the personal data of followers on its Facebook page based on their voluntary consent, which is considered granted when the individual likes, follows the page or its posts, or writes comments.

By requesting services through the Controller’s Facebook page, the data subject declares that they are at least 16 years old. According to Article 8 (1) of the GDPR, a person under 16 years of age requires the consent of their legal representative for the validity of their declaration of consent to data processing. The Controller is not in a position to verify the age or legal capacity of the consenting person; therefore, the data subject guarantees the accuracy of the data provided.

(3) Purpose of data processing: To provide information on current news, updates, and topics related to the Controller; to advertise on social media platforms; and to present and promote services. The Controller uses its Facebook page for marketing purposes to help interested parties learn about its services and to facilitate contact with the Controller.

(4) Legal basis of data processing: The data subject’s voluntary consent (in accordance with the data protection policies of Facebook, Instagram, and LinkedIn).

(5) Scope of personal data processed: The data subject’s name; data subjects: users of the social media platform.

(6) Duration of data processing: The data subject may unsubscribe from following the Controller’s Facebook page by clicking the “dislike” or “unfollow” button or may delete unwanted content using the settings of their message feed. Data are processed as long as the service remains active.

(7) Recipients: Employees of the Controller performing tasks related to customer service and marketing, as well as the Controller’s data processors, particularly the Company’s IT service provider.

(8) Additional information: The data subject acknowledges that providing data is not a precondition for entering into a contract and is not mandatory. Failure to provide personal data may result in the data subject not receiving updates or information about the Controller’s latest news and services.

Data processing for direct marketing purposes

(1) General principles: Unless otherwise provided by law, advertising may be communicated to a natural person, as the recipient of advertising, through direct contact methods (direct marketing) — in particular by electronic mail or other equivalent individual communication means — only if the recipient has given their prior, explicit, and unambiguous consent, except as otherwise specified in Act XLVIII of 2008. According to Recital 47 of the GDPR, the processing of personal data for direct marketing purposes may also be regarded as carried out based on a legitimate interest.

(2) Scope of personal data that may be processed by the Company for direct marketing purposes: The natural person’s name, telephone number, and e-mail address.

(3) Purpose of personal data processing: To carry out direct marketing activities related to the Company’s operations, i.e., to send advertising materials, newsletters, and current offers regularly or periodically in printed (postal) or electronic (e-mail) form to the contact details provided at registration. Additionally, to:

• Invite you by e-mail to events organized by us that may be relevant to you,
• Recommend relevant content to you via e-mail,
• Contact you directly with targeted offers via e-mail and telephone,
• Display targeted advertisements to you in e-mail messages.

The general purpose of personalized (targeted) marketing messages is to increase the awareness of us, as the Controller, and of our products and services among those who are interested in them. We aim to achieve this by sending you only information that is relevant to you, provided that you have given your prior consent to such communication.

(4) Legal basis of data processing: The data subject’s voluntary consent [GDPR Article 6 (1) point a)].

The voluntary consent may be withdrawn at any time. You are hereby informed that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

(5) Recipients of personal data and categories of recipients: Employees of the Company performing tasks related to customer service and marketing, as well as the Company’s data processors acting as data processors.

(6) Duration of personal data storage: Until the withdrawal of the data subject’s consent (or submission of a deletion request).

Data processing related to the establishment of a camera surveillance system

(1) Purpose of data processing: At our company’s premises located at 2870 Kisbér, Téglagyári út, where the show houses can be viewed, an electronic surveillance system is operated for the purpose of protecting human life, physical integrity, personal freedom, trade secrets, and property.

(2) Legal basis of data processing: The enforcement of the Controller’s legitimate interests. (GDPR Article 6 (1) point f)).

The Controller has documented the legitimate interest assessment process (balancing tests) and, having taken all circumstances into account, has determined that the operation of the camera surveillance system is lawful for the purposes of ensuring the safety of you and other persons present in the buildings (such as factories or stores), maintaining order within the premises, and protecting property. Considering the short retention period of the recordings, the careful data security measures, and the guarantee rules ensuring the exercise of the data subjects’ rights, the processing is justified. Based on the results of the assessment, the overall benefits achievable through the data processing outweigh any disadvantages caused to you by the recording and storage of the footage, and do not result in any significant infringement of interests.

(3) Notice of the use of the electronic surveillance system: The fact that an electronic surveillance system is in operation in a given area must be indicated by means of a clearly visible and legible notice placed in a way that enables third parties entering the area to be properly informed. Information must be provided for each individual camera. This notice must include details regarding the operation of the electronic property protection system and the purpose of recording image and sound that contain personal data.

(4) Scope of data subjects: All natural persons who enter or remain in an area monitored by the camera surveillance system (employees, customers, clients).

(5) Scope of personal data that may be processed: All cameras operated within the Controller’s premises perform continuous recorded monitoring.

The camera surveillance system records the image of any person entering the area monitored by the cameras, as well as the person’s actions visible in the recording. The camera surveillance system does not record sound.

(6) Data security measures:

a) The monitor used to view and replay recordings must be positioned in such a way that, during display, the images cannot be seen by any person outside the authorized group.

b) The monitoring and review of stored footage may only be carried out for the purpose of detecting unlawful acts and initiating the necessary measures to eliminate them.

c) No recording may be made of the images transmitted by the cameras using any device other than the central recording unit.

d) The storage media containing the recordings must be kept in a locked location.

e) Access to stored recordings may only occur securely and in such a way that the identity of the person accessing the data can be clearly identified.

f) The review of stored recordings and any copying of recordings must be documented.

g) When the justification for access ceases to exist, access to the stored recordings must be terminated immediately.

h) The recording device uses a dedicated hard drive for both the operating system and the recorded footage. No separate backup copy of the recordings is made.

i) In the event of detecting an unlawful act, measures must be taken immediately to retain the relevant recording and to initiate the necessary official procedure, and the authorities must be informed that a recording of the act exists.

(7) Recipients of personal data and categories of recipients: The data recorded by the electronic surveillance system may be viewed only by the Company’s managing directors and the chief executive, in addition to those authorized by law.

(8) Duration of personal data (image) storage: Maximum of 30 days.

Data processing related to job applicants, applications, and CVs

(1) Scope of personal data that may be processed:

The natural person’s name, date and place of birth, mother’s name, address, photograph, telephone number, e-mail address, and data relating to professional background, experience, qualifications, and education.

If, following the submission of the application, a personal interview takes place, the Controller will prepare notes on the interview, the content of which also qualifies as personal data.

(2) Purpose of personal data processing:

• To identify the data subject,
• To evaluate the job application submitted by the data subject to the Controller,
• To enable the data subject’s participation in the selection process,
• To select candidates with the appropriate skills, professional experience, and qualifications for the advertised position,
• To contact and maintain communication with the data subject during the recruitment process,
• To offer potential future employment opportunities to the data subject if they are not selected for the advertised position.

(3) Legal basis of data processing: By submitting a job application, the data subject gives their consent (GDPR Article 6 (1) point a)) to the processing of their personal data. Consent is considered granted upon submission of the application.

(4) Recipients of personal data and categories of recipients: The Company’s executives authorized to exercise employer rights and employees performing HR-related tasks.

Please note that, for certain positions, the Company may use the assistance of a data processor. In such cases, specific stages of the selection process are carried out by an expert partner on behalf of the Company. Accordingly, the documents submitted by you during the application process may be forwarded to the Company’s contracted data processing partner solely for the purpose of fulfilling the stated data processing objective. The Company guarantees that your data will be processed by the partner exclusively for the above purpose. You will be informed in advance of the partner’s identity prior to any data transfer.

(5) Duration of personal data storage:  The Controller will delete the personal data of the data subject one year after the submission of the job application or will process them until the withdrawal of the data subject’s consent.

The Controller will delete the documents submitted by the data subject upon their request without delay. If the data subject requests the deletion of their personal data before the conclusion of the selection process, they will no longer be able to participate in the process.

Please note that, during the evaluation of applications, we may review publicly available information on social media platforms (e.g., Facebook, LinkedIn, Instagram, Twitter, etc.). Such information is viewed solely for informational purposes and is not copied, printed, or recorded in any form.

Data processing for the purpose of fulfilling tax and accounting obligations

(1) Purpose and legal basis of data processing: The Company processes the legally specified personal data of natural persons with whom it interacts, based on legal obligation, for the purpose of fulfilling its statutory tax and accounting duties (bookkeeping, taxation). According to Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax, the data processed include, in particular: tax number, name, address, tax status; According to Section 167 of Act C of 2000 on Accounting: name, address, identification of the person or organization authorizing the economic transaction, the signature of the person authorizing payment and the person confirming execution, and, depending on the organization, the signature of the controller; on inventory and cash management documents, the signature of the recipient or payer; According to Act CXVII of 1995 on Personal Income Tax: tax identification number.

(2) Data processing related to vehicle logbooks and travel records (for vehicles used by multiple authorized persons): Based on legal obligation, the Company processes data required by law for cost accounting, documentation, determination of tax bases, and accounting for fuel savings related to the use of company vehicles or private vehicles used by employees for official business purposes. The processed data include: driver’s name, vehicle type, license plate number, date and purpose of travel, route taken, and name of the business partner visited. Relevant legal provisions: Act CXVII of 1995 (Personal Income Tax Act), Section 27 (2), Annex 3, point 6, and Annex 5, point 7.

(3) Duration of personal data storage: Eight (8) years following the termination of the legal relationship giving rise to the data processing.

(4) Recipients of personal data: Employees and data processors of the Company performing taxation, accounting, payroll, and social security tasks.

Data processing by the payer

(1) Purpose and legal basis of data processing: Based on a legal obligation, the Company processes the personal data of data subjects — employees, their family members, contracted individuals, and other beneficiaries — as required by tax laws, for the purpose of fulfilling statutory tax and contribution obligations (determination of taxes, tax advances, and contributions; payroll; social security and pension administration). This applies to individuals with whom the Company has a payer relationship, as defined in Section 7 (31) of Act CL of 2017 on the Rules of Taxation (Art.). The scope of processed data is determined by Section 50 of the Art., including in particular: the natural person’s personal identification data (including previous name and title), gender, nationality, tax identification number, and social security identification number (TAJ). If tax legislation assigns legal consequences to such processing, the Company may also process employees’ health-related data (under Section 40 of the Personal Income Tax Act) and trade union membership data (under Section 47 (2) b) of the same Act), for the purpose of fulfilling tax and contribution obligations (payroll and social security administration).

(2) Duration of personal data storage: Eight (8) years following the termination of the legal relationship giving rise to the data processing.

(3) Recipients of personal data: Employees and data processors of the Company performing taxation, payroll, and social security (payer) tasks. 

Data processing related to documents of permanent value under the Archives Act

(1) Purpose and legal basis of data processing: Based on a legal obligation, the Company processes its documents that are classified as being of permanent value under Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archival Material (the Archives Act). The purpose of processing is to ensure that the permanently valuable part of the Company’s records is preserved in good and usable condition for future generations. Duration of data storage: Until the transfer of the records to the public archive.

(2) Recipients of personal data: The Company’s managing director, employees responsible for document management and archiving, and the staff of the public archive.

V. CHAPTER
VISITOR DATA PROCESSING ON THE COMPANY’S WEBSITE – INFORMATION ON THE USE OF COOKIES

1. The visitor to the website must be informed on the website about the use of cookies, and – with the exception of cookies that are technically essential for the operation of the site (session cookies) – their consent must be obtained.

A cookie is a small text file that is stored on the data subject’s computer or mobile device’s long-term storage (HDD or SSD) for the period specified in the cookie’s expiry settings and is reactivated upon subsequent visits. Its purpose is to record data related to the visit and personal preferences; however, this data cannot be linked to the identity of the visitor. Cookies help in creating a user-friendly website and enhance the data subject’s online experience. If the data subject does not consent to the use of cookies by the Data Processor, they must discontinue the use of the website.

Purpose of data processing:

• To facilitate navigation on the website and make its use easier by recording your settings and usage preferences.
• To improve the user experience by collecting information about how you use the website, which pages you visit or use most frequently, so that we can provide an even better experience when you visit our site again.
• To collect statistical data, the analysis of which helps us understand how you use the website and other online services, thereby enabling us to further develop them.
• To continuously improve and fine-tune the website according to your needs.
• To identify potential malicious IT activities.

Legal basis of data processing: In the case of cookies that are essential for the proper functioning of the website, the legal basis for data processing is the Controller’s legitimate interest [GDPR Article 6 (1) point f)].

The legal basis for processing other cookies is the data subject’s voluntary consent [GDPR Article 6 (1) point a)]. The voluntary consent may be withdrawn at any time. You are hereby informed that the withdrawal of consent does not affect the lawfulness of data processing carried out prior to its withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

Scope of personal data processed: Through the placement and retrieval of cookies, data and related information concerning visitors’ use and browsing of the website are processed in accordance with the purposes of data processing.

Duration of data processing: A distinction is made between cookies stored until the end of a given session and cookies processed for a defined, longer period. Different cookies are stored only for the period necessary to achieve their specific purpose. The data subject may delete cookies stored on their computer or mobile device at any time through their browser settings.

2. Detailed information about cookies 

2.1. A cookie is a piece of data sent by the visited website to the visitor’s browser (in the form of a variable name–value pair), so that it can be stored and later reloaded by the same website. A cookie may have an expiry period — it can remain valid until the browser is closed or for an unlimited duration. During subsequent HTTP(S) requests, the browser sends these data back to the server, thereby modifying the data stored on the user’s device.

2.2. Due to the nature of modern web services, the use of cookies is necessary. Their function is to identify a user (for example, to determine whether they have logged into the website) and to handle their session accordingly, even recognizing them upon future visits. The risk lies in the fact that users are not always aware of this, and cookies may enable the website operator or third-party service providers embedded in the site (e.g., Facebook, Google Analytics) to track the user’s activity. In such cases, a profile may be created about the user, and the content of the cookie may therefore be considered personal data.

2.3. Types of cookies:

2.3.1. Technically essential session cookies: These are cookies without which the website would not function properly. They are necessary for user identification — for example, to manage whether the user is logged in or what items are in their shopping cart. Typically, these store only a session ID, while other related data are stored on the server, which is a more secure practice. There is a security aspect to this: if the session cookie value is not properly generated, there is a risk of a session hijacking attack; therefore, it is essential that these values are generated correctly. In other terminology, session cookies refer to all cookies that are deleted when the browser is closed (a “session” being one continuous browsing period from start to exit).

2.3.2. Functionality cookies: These cookies remember user preferences — for example, how the user wishes to view the website. Essentially, these cookies store configuration or preference data.

2.3.3. Performance cookies: Although they are not directly related to “performance,” this term generally refers to cookies that collect information about how the user behaves on the website — such as time spent on the site or clicks made. These are typically third-party applications (e.g., Google Analytics, AdWords, or Yandex.ru cookies). Such cookies can be used to create user profiles.

You can find information about Google Analytics cookies here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

You can find information about Google AdWords cookies here:

https://support.google.com/adwords/answer/2407785?hl=hu

2.4. Acceptance and management of cookies:

The use of cookies is not mandatory, and you are not required to accept or enable them. You can adjust your browser settings to reject all cookies or to notify you when a cookie is being sent. Although most browsers automatically accept cookies by default, these settings can generally be changed to prevent automatic acceptance.

You can find information about cookie settings for the most popular browsers at the following links:

Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu

Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn

Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11

Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7

Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9

Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8

Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq

Safari: https://support.apple.com/hu-hu/HT201265

However, please note that certain website functions or services may not operate properly without cookies.

3. Information about cookies used on the Company’s website and the data generated during visits

3.1. Scope of data processed during a visit:

During the use of the Company’s website, the following data about the visitor and the device used for browsing may be recorded and processed:

• the visitor’s IP address,
• the type of browser used,
• characteristics of the operating system of the device used for browsing (including the set language),
• the date and time of the visit,
• the visited (sub)page, function, or service,
• clicks made during browsing.

These data are retained for a maximum of 90 days and may primarily be used for investigating security incidents.

3.2. Cookies used on the website

3.2.1. Technically essential session cookies

Purpose of data processing:

To ensure the proper functioning of the website. These cookies are necessary for visitors to be able to browse the website and use its functions smoothly and fully, as well as to access services available through the website. Among other things, they enable the website to remember the visitor’s actions on a given page or to identify the logged-in user during a single visit. The duration of processing for these cookies applies only to the visitor’s current session; they are automatically deleted from the computer once the session ends or the browser is closed.

Legal basis of data processing:

Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Elkertv.), which states that the service provider may process personal data that are technically essential for providing the service. The service provider must select and operate the tools used in the provision of information society services in such a way that personal data are processed only if this is strictly necessary for providing the service and for fulfilling the purposes defined by this Act — and even in such cases, only to the extent and for the duration necessary.

3.2.2. Használatot elősegítő sütik:

Ezek megjegyzik a felhasználó választásait, például milyen formában szeretné a felhasználó az oldalt látni. Ezek a fajta sütik lényegében a sütiben tárolt beállítási adatokat jelentik.

Az adatkezelés jogalapja a látogató hozzájárulása.

Az adatkezelés célja: A szolgáltatás hatékonyságának növelése, felhasználói élmény növelése, a honlap használatának kényelmesebbé tétele.

Ez az adat jellemzően a felhasználó gépén van, a weboldal csak hozzáfér és felismer(het)i általa a látogatót.

3.2.3. Performance cookies

These cookies collect information about the user’s behavior on the visited website, including time spent on the site and clicks made.

Legal basis of data processing: The data subject’s consent.

Purpose of data processing: Website analysis and the sending of advertising offers.

VI. CHAPTER
INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

I. Summary of your rights:

You may request the following from the Controller:

• Information about the processing of your personal data (both before and during the processing). Your right to information is ensured through the preparation and publication of this Privacy Notice.
• Access to your personal data (to obtain a copy of your personal data processed by the Controller).
• Rectification or supplementation of your personal data.
• Erasure or restriction (blocking) of your personal data, except where data processing is mandatory.
• Right to data portability – to receive your personal data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.
• Right to object to the processing of your personal data.
• Right not to be subject to a decision based solely on automated data processing – including profiling – that produces legal effects concerning you or similarly significantly affects you.
• Right to legal remedy – you may seek redress if your rights related to data processing are infringed.

You may submit your data subject request to the Controller in writing, in accordance with the chapter on the enforcement of rights and available legal remedies related to data processing. The Controller will fulfill your legitimate request within a maximum of 30 days and will notify you by sending a written response to the contact details you have provided.

II. Detailed description of your rights:

Right to request information (Based on the Controller’s obligations set out in Articles 13–14 of the GDPR)

In accordance with the chapter on the enforcement of rights and legal remedies related to data processing, you may request information from the Controller in writing regarding:

• which of your personal data are being processed,
• on what legal basis,
• for what purpose,
• from what source,
• for how long the data are processed,
• whether the Controller uses a data processor, and if so, the name, address, and activities of the processor in relation to the processing,
• to whom, when, and under what legal basis the Controller has granted access to or transferred your personal data,
• and, if applicable, the circumstances, effects, and remedial measures taken in connection with any personal data breach.

Right of access (Based on Article 15 of the GDPR)

You have the right to obtain confirmation from the Controller as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to access those personal data. You may request this information from the Controller in writing, in accordance with the chapter on the enforcement of rights and legal remedies related to data processing.

The Controller shall provide you with a copy of the personal data undergoing processing—unless prohibited by other legal restrictions. If you submit your request electronically, the information shall be provided in a commonly used electronic format, unless you request otherwise.

Right to rectification and supplementation (Based on Article 16 of the GDPR)

In accordance with the chapter on the enforcement of rights and legal remedies related to data processing, you may request in writing that the Controller modify any of your personal data (for example, you may change your e-mail address or postal contact details at any time, or request the correction of any inaccurate personal data processed by the Controller).

Taking into account the purpose of the processing, you also have the right to request the completion of any incomplete personal data processed by the Controller.

Right to erasure (“right to be forgotten”) (Based on Article 17 of the GDPR)

You may request the deletion of your personal data primarily when our data processing is based on your voluntary consent — for example, if you have given your consent for us to process your contact information (such as your phone number or e-mail address). In such cases, your personal data will be deleted.

Your voluntary consent may be withdrawn at any time. Please note that the withdrawal of consent does not affect the lawfulness of data processing carried out prior to its withdrawal. In your deletion request, please include your name and e-mail address to enable proper identification.

Right to restriction of processing (blocking) (Based on Article 18 of the GDPR)

In accordance with the chapter on the enforcement of rights and legal remedies related to data processing, you may request in writing that the Controller restrict the processing of your personal data (by clearly marking the restricted nature of the processing and ensuring that such data are handled separately from other data).

The restriction remains in place for as long as the reason specified by you requires the retention of the data. You may, for example, request the restriction of your data if you believe that the Controller has processed your submission unlawfully but it is necessary for the Controller to retain it for the purpose of any administrative or judicial proceedings you have initiated.

In such cases, the Controller will continue to store the personal data (for example, the submission in question) until the authority or court contacts the Controller, after which the data will be deleted.

Right to data portability (Based on Article 20 of the GDPR)

In accordance with the chapter on the enforcement of rights and legal remedies related to data processing, you may request in writing to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used, and machine-readable format.

You also have the right to transmit those data to another controller without hindrance from the Controller, provided that:

• the data processing is based on consent pursuant to Article 6 (1) point (a) or Article 9 (2) point (a) of the GDPR, or
• on a contract pursuant to Article 6 (1) point (b) of the GDPR; and
• the data processing is carried out by automated means.

Right to object (Based on Article 21 of the GDPR)

You may object in writing—using the contact details provided in the chapter on the enforcement of rights and legal remedies—to the processing of your personal data carried out under Article 6 (1) point (f) of the General Data Protection Regulation, which is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on these provisions.

In such cases, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or which are related to the establishment, exercise, or defence of legal claims.

Automated individual decision-making, including profiling (Based on Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you.

This right does not apply if the decision:

a) is necessary for entering into, or the performance of, a contract between you and the Controller;

b) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests; or

c) is based on your explicit consent.

In the cases referred to in points (a) and (c), the Controller shall implement appropriate measures to safeguard your rights, freedoms, and legitimate interests, including at least your right to obtain human intervention on the part of the Controller, to express your point of view, and to contest the decision.

VII. CHAPTER
ENFORCEMENT OF RIGHTS AND LEGAL REMEDIES RELATED TO DATA PROCESSING

Contacting the Controller

We recommend that before initiating any judicial or administrative proceedings, you first send your inquiry or complaint regarding the processing of your personal data to the Controller. This allows us to investigate the matter and provide a satisfactory resolution, or to fulfill any of your requests or claims made under the Information on the Rights of the Data Subject chapter, provided that they are well-founded.

In the event that you exercise any of your data protection rights, request information related to data processing, or submit an objection or complaint, the Controller will investigate the matter without undue delay and take the necessary measures within the time limits prescribed by applicable laws. The Controller will also provide you with information regarding the outcome of your request. If necessary, taking into account the complexity of your request and the number of inquiries received, this deadline may be extended as permitted by law.

If you submit your request electronically, we will, where possible, provide our response electronically as well, unless you request otherwise. If the Controller does not take action on your request without undue delay and, at the latest, within the period prescribed by law, you will be informed of the reasons for the lack of action or for the refusal to fulfill your request, as well as of your right to initiate judicial or administrative proceedings as described below.

To exercise your rights related to data processing—or if you have any questions, concerns, or requests for clarification regarding the data processed by the Controller, wish to submit a complaint, or intend to exercise any of your rights described in the Information on the Rights of the Data Subject chapter—you may do so by submitting a data subject request in writing, either by traditional mail or by e-mail, using the Controller’s contact details.

MOBIL-HOMES KFT.

Registered office: 2881 Ászár, Kossuth Lajos u. 44.

Telephone: +36 70 776 6322

E-mail: info@mobilehomescentre.com

Initiating an administrative procedure

You have the right to lodge a complaint with a supervisory authority – in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement – if you consider that the processing of your personal data concerning you infringes the provisions of the GDPR. For the contact details of the supervisory (data protection) authorities within the EU, see: https://edpb.europa.eu/about-edpb/board/members_hu. In Hungary, you may initiate an investigation or an official procedure with the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa u. 9-11., website: http://naih.hu, mailing address: 1363 Budapest, Pf. 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu) in order to enforce your rights, claiming that a violation has occurred in connection with the processing of your personal data or that there is an imminent risk of such a violation, in particular,

• if you believe that the Controller restricts the exercise of your data subject rights as defined in the chapter Information on the Rights of the Data Subject, or rejects your request to exercise these rights (initiation of an investigation), and
• if you consider that, during the processing of your personal data, the Controller or any data processor acting on its behalf or under its instructions has violated the provisions on the processing of personal data set out in law or in a binding legal act of the European Union (request for the initiation of an official procedure).

Initiating judicial proceedings

You may bring an action before a court if you believe that the Controller is processing personal data in violation of the provisions laid down by law or by a binding legal act of the European Union concerning the processing of personal data. Such proceedings may also be initiated before the court of the Member State where the data subject has their habitual residence. In Hungary, such cases fall within the jurisdiction of the Regional Court (Törvényszék). The data subject may choose to bring the action before the Regional Court having jurisdiction over their place of residence or place of stay. Information about the jurisdiction and contact details of the courts (Regional Courts) can be found at the following website: https://birosag.hu/.

VIII. CHAPTER
DATA SECURITY

The Controller undertakes to ensure the security of the personal data it processes. Taking into account the state of scientific and technological development, the costs of implementation, as well as the nature, scope, context, and purposes of the data processing and the varying likelihood and severity of risks to the rights and freedoms of natural persons, the Controller implements the necessary technical and organizational measures and establishes procedural rules to ensure that the collected, stored, and processed data are protected, and to prevent their destruction, unauthorized use, or unauthorized alteration.

The Controller also undertakes to require any third parties to whom personal data are transmitted or disclosed on any legal basis to comply with data security requirements. The Controller ensures that no unauthorized person gains access to, discloses, transmits, modifies, or deletes the processed data.

The personal data processed may be accessed exclusively by the Controller, its employees, and any data processors and recipients engaged by the Controller, in accordance with defined authorization levels. The Controller does not disclose the data to any third party who is not authorized to access it. Employees of the Controller and the Data Processor may access personal data only within the scope of their designated roles and responsibilities, as determined by the Controller and the Data Processor, and according to specific authorization levels.

To ensure the security of its IT systems, the Controller protects them with a firewall and uses antivirus and anti-malware software to prevent both external and internal data loss. The Controller has also taken steps to properly monitor all incoming and outgoing communications to prevent misuse.

The Controller and the Data Processor classify and handle all personal data as confidential. To safeguard electronically managed data records across different registers, the Controller ensures that the stored data cannot be directly linked or assigned to a specific Data Subject, except in cases permitted by law.

The Controller guarantees a level of data security appropriate to the degree of risk, including, where applicable:

• the pseudonymization and encryption of personal data,
• ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and services used for processing personal data (including operational and development security, protection and detection against intrusion, and prevention of unauthorized access),
• the ability to restore access to personal data and their availability in a timely manner in the event of a physical or technical incident (prevention of data leakage; vulnerability and incident management),
• and procedures for the regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures implemented to guarantee the security of data processing (ensuring business continuity, protection against malicious code, secure storage, transmission and processing of data, and the security training of employees).

When determining the appropriate level of security, particular attention must be paid to the risks arising from data processing, especially those resulting from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that are transmitted, stored, or otherwise processed.

Please note that further detailed information on data security may be requested from the Controller at the following e-mail address: info@mobilehomescentre.com.

IX. CHAPTER
DATA TRANSFER TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

1.) Based on an adequacy decision (Article 45 of the GDPR)

According to Article 45 of the GDPR, the transfer of personal data to a third country or an international organization may take place if the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection equivalent to that provided within the European Union. Article 45 (2) of the GDPR sets out the general criteria that the Commission takes into account when assessing the adequacy of the level of protection. The Commission periodically and regularly monitors the adequacy of the level of protection in countries (or their specific territories, sectors, or international organizations) for which an adequacy decision has previously been adopted. If it determines that an adequate level of protection is no longer ensured, the Commission may repeal, amend, or suspend its decision.

2.) Trans-Atlantic Data Privacy Framework

On July 10, 2023, the European Commission adopted an adequacy decision regarding the new EU-U.S. Data Privacy Framework, establishing that personal data can be safely transferred from the European Union to participating U.S. companies under the new framework. The decision confirms that the United States ensures an adequate level of protection for personal data transferred from the EU to U.S. companies participating in the framework. Participation in the Trans-Atlantic Data Privacy Framework requires U.S. companies, as data controllers, to commit to implementing data protection measures that comply with the principles of the GDPR.

3.) Data transfers based on appropriate safeguards (Article 46 of the GDPR)

In the absence of an adequacy decision pursuant to Article 45 of the GDPR, the controller or processor may transfer personal data to a third country or an international organization only if appropriate safeguards have been provided to ensure the adequacy of data protection, and if enforceable data subject rights and effective legal remedies are available to the data subjects.

The Controller informs you that, during the course of data processing, the personal data you provide may be transferred to a third country.

X. CHAPTER
MISCELLANEOUS

No automated decision-making or profiling takes place during the processing of personal data described in this Privacy Notice.

The Controller reserves the right to unilaterally amend this Notice in the future. The current version of the Privacy Notice is always available on the Controller’s website. Data subjects will be informed of any changes through the Controller’s website.

Dated: Ászár, April 16, 2025

MOBIL-HOMES KFT.

Represented by: Dr. Márta Lunkné Nyuli, Managing Director