It is very important to us that we comply in all respects with the data protection rules in force at any time and the relevant legal provisions. Below we present in detail the steps of www.lockedinhome.com and László Bruger EV (hereinafter together: “Service Provider”) aimed at protecting the data of the data subjects, as well as the data management processes performed during our service.
We treat personal data confidentially in all cases and take all necessary security, technical and organizational measures to ensure the security of personal data.
The purpose of this data management information is to define the principles and rules for the handling of personal and other data in the course of our activities, and to provide the necessary information to the data subjects (applicants / visitors / players).
Automated decision-making or profiling is not performed by the Service Provider, the data is not transferred to third countries. Only the Service Provider and its employees have access to the data.
The Service Provider reserves the right to change this prospectus, in which case it shall notify the parties concerned as soon as possible.
“GDPR” – REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation) ;
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); identify a natural person who, directly or indirectly, in particular by an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
“Processing” means any operation or set of operations on personal data or files, whether automated or non-automated, such as collection, recording, systematisation, segmentation, storage, transformation or alteration, retrieval, consultation, use, communication, transmission, distribution or other harmonization or interconnection, restriction, deletion or destruction;
“Profiling” means any form of automated processing of personal data in which personal data are assessed in order to assess certain personal characteristics of a natural person, in particular his performance, economic situation, state of health, personal preferences, interests, reliability, behavior, location or movement; used to analyze or predict related characteristics;
“Pseudonymisation” means the processing of personal data in such a way that it is no longer possible to determine to which specific natural person the personal data relate without the use of additional information, provided that such additional information is stored separately and technical and organizational measures are taken; that this personal data cannot be linked to identified or identifiable natural persons
“Registration system” means a set of personal data, whether centralized, decentralized or functional, or geographically structured, accessible according to defined criteria;
“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
“Processor” means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; “Recipient” means a natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the said data are those of public authorities
must comply with the applicable data protection rules in accordance with the purposes of the processing;
“Consent of the data subject” means a voluntary, specific and well-informed and unambiguous statement of the will of the data subject, by which he or she indicates his or her consent to the processing of personal data concerning him or her by means of a statement or unambiguous statement;
“Data protection incident” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data which have been transmitted, stored or otherwise handled;
Data management during the activities of the Service Provider
Type of personal data processed:
The activity of the Service Provider is aimed at providing the visitors of the www.lockedinhome.com website with the experience provided by the escape rooms in the online space as well, providing exciting creative, entertainment for the players.
a) After registering on the website, visitors can register for the game by creating an account for them for a maximum of one year. In doing so, the Service Provider treats the players’ names, e-mail addresses and telephone numbers as personal data.
b) In order to pay for the service, we issue an invoice, for which it is essential to manage the players’ names and addresses.
c) In addition, so-called technical data is processed, which includes data generated during the use of the site, such as IP address, login information, browser data, time of visit of each page, page views and navigation paths, number and time of visit to pages.
The legal basis for the processing of data is the consent of the data subject.
The purpose of data management:
a) The purpose of processing the data required to participate in the game is to register visitors and to provide the service to be provided.
b) The purpose of the processing of personal data necessary for invoicing is to enable the Service Provider to issue an invoice in accordance with the accounting laws to pay the consideration.
c) We process this data in order to keep our site secure.
Legal basis for data management:
a) In the case of data required to participate in the game, the consent of the data subject.
b) In the case of personal data required for invoicing, the CXXVII. (VAT Act), the provisions concerning the obligation to issue invoices
c) Player’s consent
Duration of data management:
a) For a maximum of 3 working days but not more than 1 year after the provision of the service (game). The latter deadline is set because a registered account is valid for a maximum of 1 year after applying for a game.
b) Act CXXVII of 2007 in law (VAT Act); 23/2014 on the tax administration identification of the invoice and receipt and on the tax authority control of invoices stored in electronic form. (VI. 30.) NGM Decree, as well as Decree 1/2018 on the rules of digital archiving. (VI. 29.) ITM decree, up to a maximum of 8 years.
c) A szolgálatás (játék) nyújtását követően legfeljebb 3 munkanapig, de legfeljebb 1 évig. Ezen utóbbi határidő azért kerül meghatározásra, mert egy játékra történő jelentkezést követően a regisztrált fiók legfeljebb 1 évig érvényesz adatokat továbbá megfelelő intézkedésekkel védjük különösen a jogosulatlan hozzáférés, megváltoztatás, továbbítás, nyilvánosságra hozatal, törlés vagy megsemmisítés, valamint a véletlen megsemmisülés, sérülés, továbbá az alkalmazott technika megváltozásából fakadó hozzáférhetetlenné válás ellen.
1. Name of data processing company: KBOSS.hu Kft.
Data processing Headquarters: 1031 Budapest, Záhony utca 7.
Company registration number: 01-09-303201
Tax number: 13421739-2-41
Purpose: To process billing-related data for the purpose of issuing an electronic invoice
2. Data processing company name: Mailchimp, The Rocket Science Group, LLC
Data Processing Headquarters: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA.
Purpose: To send newsletters
3. Name of data processing company: Paylike
Data processing Headquarters: P. O. Pedersensvej 14, Aarhus, Denmark
Purpose: For credit card payments on the website
4. Name of data processing company: EZIT Korlátolt Felelősségű Társaság
Data processing Headquarters: Budapest, XIII. district, Victor Hugo u. 18-22.
Purpose: Stores personal information. You are not entitled to access personal information.
The way personal data is stored, the security of data management
The Service Provider shall implement appropriate technical and organizational measures, taking into account the state of the art and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management and the varying probability and severity of the risk to the rights and freedoms of natural persons. an adequate level of data security is guaranteed.
The IT tools used to manage personal data during the provision of the service are selected and operated in such a way that the processed data is accessible to those entitled to it, and that the data management is authentic, that data integrity is achieved and that the data is protected against unauthorized access. be
With a suitable technical solution, we ensure that the stored data cannot be directly linked and assigned to the data subject with other data files managed electronically in the various registers.
In addition, we take technical, organizational and organizational measures to protect the security of data management that provide a level of protection commensurate with the risks associated with data management.
The Service Provider during data management
– protect the information so that it can only be accessed by those who are authorized to do so,
Protect the accuracy and completeness of the information and the method of processing, and
– ensures that, when the authorized user needs it, he actually has access to the information required and that the means to do so are available.
Both our IT system and network are protected against various cyber attacks. We provide security with server-level and application-level protection procedures
The Service Provider, as a data controller, registers possible data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it.
The Service Provider shall notify the National Data Protection and Freedom of Information Authority of any data protection incident without delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is not likely to endanger the rights and freedoms of natural persons. viewed.
Data and contact details of the data controller
www.lockedinhome.com and Bruger László EV.
tax number: 69111189-1-33
registered office: 2230, Gyömrő, Csokonai utca 67.
Rights of the person concerned, legal remedies
The data subject may request information on the processing of his / her personal data and request the rectification or deletion of his / her personal data, with the exception of mandatory data processing, restrictions on data processing and exercise his right to data and protest as indicated at the data controller’s
Right to information:
At the request of the data subject, the Service Provider shall take appropriate measures in order to provide the data subject with all the information referred to in Articles 13 and 14 of the GDPR and Articles 15 to 22. and Article 34 shall be provided in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner.
The data subject’s right of access:
The data subject has the right to receive feedback from the data controller as to whether the processing of his or her personal data is in progress and, if such data processing is in progress, he or she has the right to access the personal data and the following information: purposes of data processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular recipients in third countries or international organizations; the intended period for which the personal data will be stored, the right to rectify, erase or restrict the processing of the data and the right to object; the right to lodge a complaint with the supervisory authority; information on data sources; the fact of automated decision-making, including profiling, and comprehensible information on the logic used and the significance of such data management and the expected consequences for the data subject. In the event of a transfer of personal data to a third country or to an international organization, the data subject shall be entitled to be informed of the appropriate guarantees for the transfer.
The Service Provider shall provide the data subject with a copy of the personal data subject to data management. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Service Provider shall provide the information in electronic form.
The right to be informed can be exercised in writing through the indicated contact details.
Upon request, the data subject may be provided orally upon verification and identification of his identity.
Right of correction:
The data subject may request the correction of inaccurate personal data managed by the Service Provider and the supplementation of incomplete data.
To change your personal data, please contact the Service Provider at the official e-mail address, email@example.com.
Right of cancellation:
The data subject is entitled to delete the personal data concerning him / her without undue delay at his / her request if one of the following reasons exists:
(a) personal data are no longer required for the purpose for which they were collected or otherwise processed;
(b) the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;
(c) the data subject objects to the processing and there is no overriding legitimate reason for the processing;
(d) personal data have been processed unlawfully;
(e) personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the controller;
(f) personal data have been collected in connection with the provision of information society services.
Deletion of data may not be initiated if the processing is necessary: for the purpose of exercising the right to freedom of expression and information; for the purpose of fulfilling an obligation under Union or Member State law applicable to the controller to process personal data or performing a task carried out in the public interest or in the exercise of official authority vested in the controller; in the field of public health, or for archival, scientific and historical research or statistical purposes, in the public interest; or to bring, assert or defend legal claims.
To delete personal data, please contact the Service Provider at the official e-mail address, firstname.lastname@example.org
Right to restrict data processing:
At the request of the data subject, the Service Provider restricts data management if one of the following conditions is met:
(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period which allows the accuracy of the personal data to be verified;
(b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests that their use be restricted;
(c) the controller no longer needs the personal data for the purpose of processing the data, but the data subject requests them in order to make, enforce or protect legal claims; obsession
(d) the data subject has objected to the processing; in that case, the restriction shall apply for as long as it is established whether the legitimate reasons of the controller take precedence over the legitimate reasons of the data subject.
Where processing is restricted, personal data may be processed, with the exception of storage, only with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims, protecting the rights of another natural or legal person or in the important public interest of the Union or a Member State.
The Service Provider informs the data subject in advance about the lifting of the data management restriction.
To restrict the handling of personal data, please contact the Service Provider at the official e-mail address, email@example.com.
Right to carry data:
The data subject shall have the right to receive the personal data concerning him or her made available to the controller in a structured, widely used machine-readable format and to transmit this data to another controller.
Right to protest:
The data subject shall have the right to object at any time, for reasons related to his situation, to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of public authority, or to the processing of data controllers or third parties, including profiling based on those provisions. is.
In the event of an objection, the controller may not further process the personal data, unless justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims.
Where personal data are processed for the purpose of direct business acquisition, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for that purpose, including profiling, in so far as it relates to direct business acquisition.
In the event of a protest against the processing of personal data for the purpose of direct business acquisition, the Service Provider will not process the data for this purpose.
Automated decision making in individual cases, including profiling
The data subject shall have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects on him or her or would be similarly significant.
The above authority does not apply if the data management
(a) necessary for the conclusion or performance of a contract between the data subject and the controller;
(b) is governed by Union or Member State law applicable to the controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; obsession
(c) is based on the express consent of the data subject.
Right of withdrawal
The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal.
Rules of procedure
The controller shall, without undue delay, but in any case within one month of receipt of the request, inform the data subject in accordance with Articles 15 to 22 of the GDPR. on the action taken in response to a request under Article. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months
The controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receiving the request. If the data subject has submitted the request electronically, the information shall be provided electronically, unless the data subject requests otherwise.
If the controller does not take action on the data subject’s request, it shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for the non-action and of the data subject’s right to appeal to a supervisory authority.
The Service Provider provides the requested information and information free of charge. If the data subject’s request is manifestly unfounded or excessive, in particular due to its repetitive nature, the controller may charge a reasonable fee or refuse to act on the request, taking into account the administrative costs of providing the requested information or action or taking the requested action.
The controller shall inform all recipients to whom or with whom the personal data have been communicated of any rectification, erasure or restriction on the processing of personal data, unless this proves impossible or requires a disproportionate effort. Upon request, the controller shall inform the data subject of these recipients.
The data controller shall make a copy of the personal data which is the subject of the data processing available to the data subject. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in electronic format, unless the data subject requests otherwise.
Compensation and damages:
Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the Data Protection Regulation is entitled to compensation from the controller or processor for the damage suffered. The data processor shall be liable for damages caused by the data processing only if it has not complied with the obligations specified in the law, which are specifically imposed on the data processors, or if it has disregarded or acted contrary to the data controller’s lawful instructions.
Where several controllers or processors or both controllers and processors are involved in the same processing and are liable for damages caused by the processing, each controller or processor shall be jointly and severally liable for the total damage.
The controller or processor shall be released from liability if it proves that it is not liable in any way for the event giving rise to the damage.
Right to go to court:
In the event of a breach of his or her rights, the data subject may bring an action against the data controller (competent according to the defendant’s domicile or residence of the data subject). The court is acting out of turn in the case. A lawsuit filed in connection with the protection of personal data is duty-free.
data protection authority procedure:
Complaints can be lodged with the National Data Protection and Freedom of Information Authority:
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1125 Budapest, Szilágyi Erzsébet avenue 22 / C.
Mailing address: 1530 Budapest, Pf .: 5.
Continuing marketing communication is essential in the course of business operations. The legal basis for data processing in this regard is to show interest in our services or the express consent of users.
In accordance with the Privacy and Electronic Communications Regulations (PECR) of the European Union, we send marketing messages to our users if they have purchased from us or have expressly consented to receive marketing messages.
In all cases, we allow you to suspend your consent and unsubscribe from messages. At the bottom of each e-mail you can find the link required for unsubscribing, or you can request removal from the database at the e-mail address firstname.lastname@example.org.
We can also send messages when unsubscribing from marketing communications, but only for order fulfillment.
Anonymized data and “COOKIEs”
On the website www.lockedinhome.com, in e-mail messages and advertisements, it uses the so-called “Cookies” and similar technologies such as tracking codes, re-marketing tags, pixels that are activated after the user consents.
These technologies help us better understand user behavior and interest, thus helping us to operate at a higher standard and more efficiently.
Our goal is to make the use of www.lockedinhome.com as user-friendly and personal as possible. If the user wishes to prohibit the recording of non-personal data by these technologies, this can be done in the following ways:
– cookie warnings on the website can be used to disable their loading
– by disabling “cookies” in the browser
– or using this tool (http://www.youronlinechoices.eu/)
If you have any questions, feel free to contact us at email@example.com