Privacy Statement

Privacy Statement

Effix-Marketing Ltd. as the work organization of Pannon Wood and Furniture Industry Accredited Innovation Cluster (PANFA) [PANFA Organizational and Operational Rules _ 22 January 2014 /Chapter  3.4 –Work Organization]

(hereinafter: Data Processor/Company; Registration number: 08 09 015713; Seat: 9400 Sopron, Malompatak u. 13.; representative: Péter Sándor Pakai, executive manager) as data processor, obliges itself to keep the rules described in this legal notice, moreover, it is committed to meet the requirements defined in this statement or in current legislation while processing data. It is a priority for the data processor to respect the informational self-determination of its business partners. It guarantees the confidentiality of personal data by technical, safety and organizational measures.

Further privacy policies in connection with data processing are constantly available on the following website:

The Company reserves the right to modify this statement. It informs its partners and the public about possible changes in due time. Our colleagues are happy to answer any questions in connection with this statement.

The Company’s privacy principles are consistent with current privacy legislations, especially the following:

  • European Parliament and Council (EU) Statute 2016/679 (27 April 2016) – about the protection of natural persons and personal data, the free flow of personal data and the repeal of Statute 95/46/EK (GDPR);
  • Act CXII of 2011. “Privacy Act
  • Act V of 2013 on the Civil Code
  • Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
  • Act C of 2003 on Electronic Communications
  • Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity
  1. Privacy statement scope, concepts, definitions

This privacy statement is valid from 1 January 2020 until withdrawal.

Art. 4 GDPR Definitions for the purposes of this Regulation:

    ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

    ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

    ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

    ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

     ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

    ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

    ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

  1. 5 GDPR Principles relating to processing of personal data

Personal data management related to the business activities of Effix-Marketing Kft. is based on voluntary consent. However, it may be the case that the management, storage, and transmission of a set of data provided is mandatory by law. We will inform those concerned separately.
Hereby, please note that it is the duty of the informant to obtain the consent of the data subject in the event that the informant does not provide his or her own personal data to the Company.

    2.1 Personal data shall be:

    1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’);
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
    7. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

2.2 Privacy Statement

It is available on the Controller’s website at all times. Acceptance of this prospectus constitutes a data management consent. The visitor confirms that he / she is familiar with the tick with the appropriate checkbox. Data processing may only take place if the data subject gives his or her voluntary, specific, informed and unambiguous consent to the processing of personal data relating to a natural person by means of a clear affirmative action, such as a written statement, including electronically.

The employee (s) of the Data Controller, or the employees of the companies involved in the data processing on behalf of the Data Controller, are obliged to keep the personal data known to them as business secrets.

In the course of their work, the employees of the Data Controller shall protect personal data from unauthorized access, familiarization, alterability, and destruction.

  1. Enforcing Data Subject’s rights

The data subject may request information on the processing of his / her personal data and request the rectification of his / her personal data; deleting your data at; restrictions on data management; and has the right to data portability.

3.1 Right to information

The data subject has the right to request information from the Data Controller whether their personal data are being processed. In compliance with the requirements of the GDPR, the Company shall provide information in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner.

3.2 Right to access

If the personal data of the data subject are being processed, he / she has the right to access the personal data and the following information:

      1. Has the right to know the purpose of the data management
      2. the categories of personal data concerned
      3. the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular third country recipients or international organizations
      4. where appropriate, the intended period for which the personal data will be stored or, if this is not possible, the criteria for determining this period
      5. He shall have the right to be informed of the right of the data subject to request the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data; and whether to lodge a complaint with a supervisory authority
      6. He / she also has the right to be informed if the data is not collected directly from the data subject
      7. Furthermore, he / she has the right to be aware of the logic used in automated decision-making cases and of the importance of such data management and the expected consequences for the data subject.

3.3 Right to rectification

On the basis of the right of rectification, the data subject shall have the right to rectify any personal data relating to him or her without undue delay upon request. In view of the purpose of the processing, the data subject shall have the right to request that personal data which are incomplete be completed (including through a supplementary declaration)

Inaccurate data will be corrected by the Company at the request of the data subject without undue delay. As long as the Company verifies the accuracy of the personal data, the personal data in question may be restricted in accordance with section 3.5 of this Prospectus.

3.4 Right to erasure (‘right to be forgotten’)

The data subject shall have the right to have the personal data, relating to him / her, deleted without undue delay upon his / her request and the data controller shall have the right to delete the personal data relating to the data subject without undue delay if any of the following case:

      1. personal data are no longer needed for the purpose for which they were collected or otherwise processed
      2. the data subject shall withdraw his or her consent as the basis for the processing and there is no other legal basis for the processing
      3. the data subject is objecting to the processing under Article 21 (1) of the GDPR and there is no overriding legitimate reason for the processing, or the data subject has an objection under Article 21 (2)
      4. personal data have been unlawfully processed
      5. personal data must be deleted in order to comply with a legal obligation under Union or Member State law applicable to the controller
      6. personal data was collected in connection with the provision of information society services.

3.5 Right to restriction of processing

The data subject shall have the right to request that the controller restrict the processing of data if any of the following applies:

      1. the data subject disputes the accuracy of the personal data, in this case the limitation relates to the period allowing the controller to verify the accuracy of the personal data
      2. the data processing is unlawful, and the data subject opposes the deletion of the data, and asks instead to restrict their use
      3. the controller no longer needs the personal data for the purposes of data processing, but the data subject requires them to present, assert or defend a legal claim; or
      4. the data subject has objected to the processing in accordance with Article 21 (1); in this case, the restriction shall apply for a period until it is ascertained whether the data controller’s legitimate reasons take precedence over those of the data subject. For the duration of its assessment, but for no more than 5 days, the data manager shall suspend data processing, examine the merits of the protest and make a decision, which shall be communicated to the applicant

If the protest is justified, the data is limited by the head of the department, meaning that only storage as data management can be implemented as long as

      1. the data subject consents to the data management;
      2. the processing of personal data is necessary for the enforcement of legal claims;
      3. it is necessary to process personal data in order to protect the rights of another natural or legal person; or
      4. law regulates data management in the public interest

The controller shall inform in advance the data subject, at whose request the processing was restricted, before the restriction would be dissolved.

3.6 Right to data portability

The data subject shall have the right to receive personal data relating to him or her made available to the Company, in a structured, widely used, machine-readable format, and to transfer such data to another data controller without being hindered by that data controller who has made personal information available if:

      1. the legal basis for the processing was the data subject’s consent, or for the performance of a contract requiring the data subject to take action at the request of one of the parties or of the data subject prior to the conclusion of the contract [GDPR Art. (a) or (b) and Article 9 (2). (a)] and
      2. the data are managed in an automated way

3.7 Right to object

The data subject shall have the right to object at any time to the processing of his or her personal data based on Article 6 (1) (e) or (f), including profiling based on those provisions, for reasons related to his or her situation. In this case, the controller may not further process the personal data unless the controller demonstrates that the processing is justified by compelling legitimate reasons, which take precedence over the interests, rights and freedoms of the data subject, or which are necessary to assert, or defend legal claims related. The Managing Director of the Company shall be responsible for determining that the data processing is justified by compelling legitimate reasons. He / she shall inform the data subject of his /her point of view on the matter.

3.8 Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to any decision based solely on automated data management, including profiling, which would have legal effects or be substantially affected by him.

The above paragraph shall not be applied where the decision:

      1. necessary for the conclusion or performance of a contract between the data subject and the controller;
      2. is made available by Union or national law applicable to the controller, which shall also lay down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
      3. based on the explicit consent of the data subject.

3.9 Right to withdrawal

The data subject shall have the right to withdraw his or her consent at any time. This is without prejudice to the legality of consenting prior data management.

3.10 Rules of procedure

The Data Controller shall inform the data subject, without undue delay, within one month of receipt of the request, about the action taken on the request, under the right of information.

Regarding the complexity of the application and the number of applications, this time limit may be extended by a further two months, where justified. In such a case, the controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receipt of the request. The provision of information is, as a rule, free of charge, and the Data Controller will only charge for it in the cases specified in Articles 12 (5) and 15 (3) of the GDPR.

If the Data Subject’s request is clearly unfounded or excessive, the Company may charge a fee based on the following cost elements:

      1. the direct cost of the medium in the case of paper copies;
      2. in the case of duplication on optical media, the direct cost of the medium;
      3. in the case of copies supplied by other electronic means, the direct cost of the media;
      4. in the case of postal delivery to the data requester, the postal service fee for a registered item sent by way of an additional receipt;
      5. the labour cost associated with completing the data request (the actual labour cost required to complete, retrieve, summarize and organize the data, make a copy of the data medium of the requested data, persons involved in the performance of a business shall be defined as the product of the amount of regular per-hour personal allowances.

If the controller fails to take appropriate action on the data subject’s request without delay, he shall inform the data subject, not later than one month after receipt of the request, of the reasons for the non-action and of the right to lodge a complaint at a supervisory authority.

Unless it is proved impossible or requires a disproportionate effort, all previous recipients of the personal data will be informed by the Data Controller about any rectification, erasure, or restriction of data processing. At the request of the data subject, the controller shall inform those addressees. Notification may be dispensed with if this is not contrary to the legitimate interests of the data subject, having regard to the purpose of the processing.

3.11 Compensation and Grievance Fees

The Data Controller shall also indemnify for damages caused to others due to unlawful Processing of data, or breach of data security requirements, or damages for personal injury caused by him or her or its data processor. The controller shall be exempt from liability for damages and payment of damages if he proves that he is not liable in any way for the event giving rise to the damage.

3.12 Data protection authority procedure

The data subject may lodge a complaint to the supervisory authority regarding the data controller’s data processing procedure – the The National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság NAIH) in Hungary. (seat: 1055 Budapest, Falk Miksa utca 9-11. website:

3.13 Right to apply to the courts

The data subject may, if he or she so chooses, pursue his or her claim through the courts. The trial court shall have jurisdiction over the case. At the choice of the data subject, the lawsuit may be instituted before the court in the place where the data subject is domiciled or habitually resident.

  1. Data processing due to the business activities of the Data processor

4.1. Data processing due to the use of Data processor’s website (


4.1.1. Server logging of

The webserver does not record user data when the website is visited. The code of the website contains links coming from and indicating an external server. This external server is in contact with the user’s computer. We wish to inform our visitors that the suppliers of these links are capable of data collection after their server is directly connected. The user’s search engine may provide them with user data (e.g. IP address, operational system data, address of websites visited, time of visit, movement of the mouse).

An IP address is a series of numbers suitable for identifying users’ computers unequivocally when connected to the Internet. Even the geographical position of the user can be determined with the help of an IP address. The address of the visited website, dates, times of visits are not suitable for identifying users but when linked to further data (e.g. ones given during registration) they can help to draw conclusions about users.

aim of data processing:

the service supplier records website visitors’ data in order to control the operation of services, to specify or complete visitors’ searches, to provide tailored services and to prevent misuse.

range of processed data:

identification number, IP address of users’ computers, date of visit, time, visited website address, type of operation system and search engine.

legal basis of data processing:

consent of affected data subject, and the E-Commerce Law 13/A. § (3).

duration of data storage:

30 days

method of data storage:


4.1.2. Managing the cookies of external servers of

An evaluation software runs on the website that records the data of visits. These are pieces of information that are generated automatically: IP address of visitors, data of sites opened, time of visit, name of search engine used.

Suppliers place so called cookies on the users’ computers in order to identify or track them. These cookies can be read during later Internet use. Cookies are alphanumeric information packages with various content sent by the web server. They are recorded and stored on users’ computers for a predetermined time period. The use of cookies enables the inquiry about certain user data and the tracking of Internet use.  If a search engine sends a stored cookie back, the supplier belonging to the cookie may link the current visit of the user to earlier ones in the case of websites that use the given cookie.

Thus, cookies help to determine the interests of users, their internet using customs, their website visiting history.

If a user’s search engine sends already saved cookies back to the hard drive while he/she is visiting the website, the supplier may link the current visit to earlier ones but since cookies are connected to domains, the supplier can do this with respect to his/her own content only. Cookies alone cannot identify users; they can only identify the visitor’s computer.

Google Analytics manages cookies when visiting in order to operate their web analytics system. Further information about the data processing of on:

You can read a document about “how Google uses data when you visit the website or use an application of our partners” by clicking on the following link:

Google forwards information about website use (e.g. visitor’s IP address) generated by cookies to its US server and stores it there. Google does not link information generated by cookies to other data – as a result, it does not realize personal data processing according to valid privacy laws.

Users can delete cookies from their computers or they can block cookies in their search engines. You can manage cookies generally in the Setting menu of your search engine under Privacy Policy/Search History/Custom Settings by the label Cookies or Tracking.

The following external suppliers placed the following cookies on the website:

Cookie name

Comes from



_ga (Google analytics)

2 years

 _ga cookie is a cookie used by Google Analytics.

It is used to distinguish users.

_gat (GA)

1 minute

It regulates the number of requests towards

_gid (GA)

24 hours

It is used to distinguish users


1 week

A Google cookie, it is used for statistical data collection.





The main advertising cookie is called IDE; search engines store it under the domain


6 months

Most Google users’ search engines store cookies in connection with settings, called “NID”. A NID cookie contains a unique identification number. Google uses it to store your preferences – e.g. preferred language, number of displayed search results (e.g. 10 or 20), Google secure search on or off – and other data.

_icl_current_language (WPML)

24 hours

A cookie used by WPML to store the current language code.

_icl_visitor_lang_js (WPML)

24 hours

A cookie stored by WPML. Visitor’s language.

aim of data processing:

to analyse website visiting habits, to help visitors with contacting the Company

range of processed data:

internet protocol (IP) address of visitors, time of visit, data of visited sites, name of search engine used

legal basis of data processing:

GDPR  Article 6 Chapter (1) /a): consent of affected persons.

duration of data storage:

maximum 2 years after data recording

method of data storage:


4.3. Customer service

The Company manages the name, email address and phone number of the contact person of the contracting legal person in order to fulfil the contract (contracting, fulfilment, termination). The legal basis of data processing is the consent of affected persons – related contracts are content items of consent obligation in order to obtain given consent.

aim of data processing:

contact needed to meet the requirements of business partners.

range of processed data:

contact person’s name, email address, telephone number, address

legal basis of data processing:

GDPR  Article 6 Chapter (1) /a): consent of affected persons.

duration of data storage:

until aim is realized, or until the data subject expresses the wish his/her data to be deleted..

method of data storage:



4.4. Electronic customer correspondence

If you wish to contact us in writing, the system will generate an email using the data of the form called “Join us”  – you can find this in this statement or on – which will then be forwarded to our mailbox ( Effix-Marketing Ltd will delete every email with the sender’s name, the date, the time and other personal data given in the message within maximum 5 years after data recording.

aim of data processing:

contact needed to meet the requirements of business partners.

range of processed data:

contact person’s name, email address, telephone number, company address

legal basis of data processing:

GDPR  Article 6 Chapter (1) /a): consent of affected persons.

duration of data storage:

maximum 5 years after data recording or until the data subject expresses the wish his/her data to be deleted.

method of data storage:



4.6. Other data processing

We provide information about other types of data processing upon data recording. We inform our customers that the Court of Justice, the prosecutor, the investigative/offense/administrative authority, the National Authority for Data Protection and Freedom of Information and other authorities – based on legislative authorization – may ask or oblige the Data Processor to give information, to communicate data, to hand over data or to make documents available. In case the authority indicates the accurate aim and scope of data, Effix Marketing Ltd releases only data that are absolutely necessary to realize the aim described in the request.

  1. Data processors

The Company employs the following data processors for technical tasks exclusively during personal data processing:

name of data processor:

Tá Szolgáltató Kft.


1097 Budapest, Könyves Kálmán körút 12-14

registration number:


aim of data processing:

Webhosting provider

name of data processor:

JULAWELL Bt. , Juhászné Jakab Mária


9400 Sopron, Várkerület 31.

MKVK membership number:


aim of data processing:

accounting, payroll administration

Data processors carry out data processing in accordance with the instructions given by the Company, they make no substantive decisions about data processing, they process personal data they learn merely according to the Company’s orders, they are not allowed to process data for their own purposes, moreover, they must store and preserve personal data based on the Company’s orders.

Issues not defined in the current statement

GDPR and – if allowed by GDPR – rules defined in the Privacy Act are the governing rules in the case of issues not defined in this statement.