Privacy Policy

This Privacy Policy is effective from 01.04.2024

The data controller pays particular attention to ensuring that the processing of personal data complies with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the ’Regulation’).

In connection with the processing of data, the Data Controller hereby informs visitors (hereinafter: Data Subjects) using the website www.dembell.com (hereinafter: Website) about the personal data it processes, as well as its principles and practices regarding the processing of personal data.

The personal data collected by the Data Controller can only be processed for specific, explicit, and lawful purposes, and they cannot be processed in a manner incompatible with these purposes. Furthermore, they must be stored in a form that allows identification of data subjects only for the time necessary for the purposes of processing personal data.

The Data Controller ensures that unauthorized individuals cannot access personal data and that the storage or placement of personal data is designed in such a way that it is not accessible, identifiable, modifiable, or destructible by unauthorized persons.

1. Data Controller Details

Name: Dembell Hungary Kft.

Registered Office: 1124 Budapest, Csörsz utca 43. 2. em.

Tax number: 25019380-2-43

Company registration number: 01-09-195096

Registering court: Company Registry Court of Budapest Capital Regional Court

Phone: +36203538000

Email: sales@dembell.com

Details of Hosting Service Provider:

Name: Webflow, Inc.

Registered Office: 398 11th St 2nd Floor, San Francisco, California 94103, United States

Email: support@webflow.com

Website: www.webflow.com

Data protection requests: if you have any requests or questions regarding data processing, you can send your request by post or electronically to the addresses specified in point 1.

2. Data Processing Cases

2.1. Customer Correspondence, Communication, Contacting

Scope of processed data: Depending on the contact platform (email, contact form on the website, phone number, preferred language, etc.), the processed data may include surname, first name, email address, country, and any other optional data provided by the Data Subject.

Purpose of data processing: if the Data Subject has any questions about the Website, the services, or products of the Data Controller, they can contact the Data Controller through the contact details provided in this Policy and on the Website. The purpose of data processing is to facilitate communication and contact between the Data Controller and the Data Subject regarding any inquiries that may arise.

Data processing period: the Data Controller retains incoming emails and postal letters, along with the sender's name, email address, and any other personal data provided in the message, for a period of 1 year from the date of receipt of the data.

Legal basis for processing: voluntary consent of the Data Subject pursuant to Article 6(1)(a) of the Regulation.

Source of data: collected directly from the Data Subject.

Possible consequences of failure to provide data: may result in the inability to communicate with the Data Subject via customer correspondence.

3. Car Configuration

Scope of processed data: Name, email address.

Purpose of data processing: the Data subject can assemble a car for themselves based on parameters provided on the configuration page and can send this configuration to a Dembell sales agent with a single click. Additionally, they can send it to their own email address provided.

Legal basis for processing: voluntary consent of the Data Subject pursuant to Article 6(1)(a) of the Regulation.

Data processing period: the Data Controller processes the configuration email and the personal data contained therein for a period of 90 days from the date of sending.

Source of data: collected directly from the Data Subject.

Possible consequences of failure to provide data: the Data Subject cannot save the plans of the custom car created on the configuration page.

4. Downloading Catalog

Scope of processed data: name, email address.

Purpose of data processing: the Data Controller provides the opportunity for the Data Subject to access and download a catalog showcasing its vehicles and services for their own use.

Legal basis for processing: voluntary consent of the Data Subject pursuant to Article 6(1)(a) of the Regulation.

Data processing period: the Data Controller processes the email address provided by the Data Subject for a period of 90 from the time of sending the download request.

Source of data: collected directly from the Data Subject.

Possible consequences of failure to provide data: the Data Subject cannot download the catalog.

5. Data Processing Related to Contact Information

Scope of processed data: company name, contact person's name, phone number, email address, optionally position, job title.

Purpose of data processing: managing partner relationships through a contact person.

Legal basis for processing: in accordance with Article 6(1)(f) of the Regulation, the legitimate interest of the data controller.

The legitimate interest of the controller (if the legal basis is a legitimate interest): the organizational interest related to maintaining contact with the data subject's company, entering into contracts, and managing contracts.

Data processing period: until the objection of the contact person, or in the absence of such objection, for a period of 1 year following the termination of the business relationship.

In the case of data not originating from the data subject, the source of personal data: From the company's manager or another employee.

Summary of the balancing of interests test:

During the balancing of interests, it has been determined that the Data Controller has a legitimate interest in effectively addressing legal disputes and regulatory proceedings to enforce its rights successfully. The processing has a minimal impact on the Data Subject's privacy, which does not exceed the Data Subject's reasonable expectations. Since the processing is necessary for the legitimate interests pursued by the Data Controller, and these interests do not override the Data Subject's interests or fundamental rights and freedoms requiring the protection of personal data, the specified data may be processed by the Data Controller under Article 6(1)(f) of the GDPR.

5.1. Complaint handling

Scope of processed data: first and last name, depending on the contact platform, e-mail address, telephone number, complaint submitted by the Data subject.

Purpose of data processing: if the Data Controller handles the Data Subject's complaint related to the services provided, it also involves the processing of personal data during the complaint handling process. The purpose of data processing is to implement complaint handling in accordance with legal requirements, as well as to facilitate communication and contact between the Data Controller and the Data Subject regarding the raised complaint.

Data processing period: in accordance with the rules set forth in Act CLV of 1997 on Consumer Protection, the Data Controller is obliged to retain the complaint for a period of 3 years.

Legal basis for processing: in accordance with Article 6(1)(c) of the Regulation, the fulfillment of legal obligations prescribed in the consumer protection law and the Civil Code.

Source of data: collected directly from the Data Subject.

Possible consequences of failure to provide data: failure to address the complaint and provide personal data will result in the Data Controller's inability to contact the Data Subject regarding the specific issue and resolve the problem.

5.2. Newsletter

Scope of processed data: name, email address, date of subscription.

Purpose of data processing: by subscribing to the newsletter, the Data Subject voluntarily consents to the Data Controller sending newsletters, offers, and exhibition-related information for direct marketing purposes. In subscribing to the newsletter, the Data Subject acknowledges and accepts the Data Controller's data processing rules as specified in this Notice regarding the processing of personal data.

Data processing period: the subscription to the newsletter is valid until the Data Subject unsubscribes. The Data Subject may unsubscribe from receiving the newsletter at any time, free of charge, without restriction and without giving any reason.

The Data Subject can unsubscribe from the newsletters using the following methods:

− notify the Data Controller of the intention to unsubscribe by sending an email to the email address provided in point 1.

− click on the unsubscribe link found in the newsletters.

Legal basis for processing: voluntary consent of the Data Subject pursuant to Article 6(1)(a) of the Regulation.

Source of data: collected directly from the Data Subject.

Possible consequences of failure to provide data: the Data Controller does not send newsletters to the Data Subject, and in case of unsubscribing, the Data Controller does not contact the Data Subject with further newsletters or offers.

6. Data Transfer

Personal data is primarily accessible to the Data Controller and data processors appointed by the Data Controller to perform their tasks. In addition, the Data Subject's personal data may be transmitted to another data controller in the following cases.

The Data Controller informs the Data Subject that courts, prosecutors, investigative authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, and other bodies authorized by law may contact the Data Controller to provide information, disclose data, transfer data, or provide documents.

The Data Controller only discloses personal data to authorities – if the authority has specified the exact purpose and scope of the data – to the extent necessary to achieve the purpose of the request.

7. Acces to Data, Data Security Measures, Backups

7.1. Data Security Measures

The Data Controller takes all necessary measures to ensure the security of data and ensures their adequate protection, especially against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental loss or damage. The Data Controller ensures the security of data through appropriate technical and organizational measures.

The computer system of the Website is located on the servers of the data processor in United States. (https://webflow.com/legal/subprocessors)

The Data Controller shall select and operate the IT tools used to process personal data in the course of providing the service in such a way that the processed data:

− is accessible to those authorised to access it (availability);

− its authenticity and authenticity are ensured (authenticity of processing);

− its integrity can be verified (data integrity);

− is protected against unauthorised access (data confidentiality).

The data controller shall retain during the processing:

− confidentiality: protect information so that only those who are entitled to access it have access to it;

− integrity: to protect the accuracy and integrity of the information and the processing method;

− availability: it ensures that when the authorised user needs it, he has effective access to the information and the means to obtain it.

7.2. Backup Management Policy

The Data Controller shall ensure, in particular, that measures are taken to ensure the possibility of restoring data files, including regular backups and the separate and secure management of copies (backups), as part of its duties relating to the protection of information systems.

Accordingly, in order to prevent the loss of electronically stored data, the Data Controller does not make backups regularly of the data in its database, but restore points are created automatically on every 50th auto-save, including personal data, on a separate storage medium.

Duration of backup storage: 90 days.

Backups are not automatically overwritten by the previous backup to facilitate their deletion.

Access to backups: Access to backups is restricted, and only individuals with specific authorization are allowed access. Restoration of backups is only permitted in case of system destruction or data loss, with the approval of the current senior executive.

8. Data Processing

The Data Controller is entitled, in accordance with applicable laws, to engage data processors for certain technical operations or for the purpose of providing services. The data processor is only authorized to carry out instructions and decisions of the Data Controller.

1. Crea Space LTD

Registered Office: 2020--2222 WenlockWenlock Road,Road, London,London, N1N1 7GU,7GU, UNITEDUNITED KINGDOMKINGDOM

Email: hello@crea.spacehello@crea.space

Activity: Website development

2. CookieYes Limited

Registered Office: 33 WarrenWarren YardYard WarrenWarren Park,Park, WolvertonWolverton Mill,Mill, MiltonMilton Keynes,Keynes, MK12MK12 5NW,5NW, UnitedUnited KingdomKingdom

Email: info@cookieyes.cominfo@cookieyes.com

Activity: Cookie management system

3. Webflow, Inc.

Registered Office: 398398 11th11th StSt 2nd2nd Floor,Floor, SanSan Francisco,Francisco, CaliforniaCalifornia 94103,94103, UnitedUnited StatesStates

Email: support@webflow.comsupport@webflow.com

Activity: Hosting Service Provider

9. Rights of the Data Subject

9.1. Information and Access to Personal Data

The Data Subject can request information from the Data Controller in writing via the contact details provided in point 1, so that the Data Controller can inform:

− what personal data,

− on what legal basis,

− for what purpose,

− from what source,

− for what purpose, for what purpose, for what purpose, for what purpose and for how long it is processed,

− to whom, when, under what law, to which personal data, to which personal data, has the controller given access or to whom has the controller transferred the personal data.

If the Data Subject wishes to exercise their rights, it will require identification, and there will necessarily be communication between the Data Subject and the Data Controller. Therefore, providing personal data will be necessary for identification purposes (but identification can only be based on data that the Data Controller already processes about the Data Subject), and complaints regarding data processing from Data Subjects will be available in the Data Controller's email inbox within the timeframe specified in this notice.

The Data Controller responds to complaints related to data processing within the deadline specified in point 6.8.

The Data Controller provides information to the Data Subject in widely used electronic formats, except if the Data Subject requests it in writing on paper. The Data Controller does not provide verbal information over the phone regarding the personal data it manages.

The Data Controller provides the Data Subject with a copy of their personal data free of charge for the first time. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject requests the copy electronically, the information will be provided to the Data Subject by email in a widely used electronic format by the Data Controller.

After receiving the information, if the Data Subject disagrees with the data processing or the accuracy of the processed data, they can request correction, supplementation, deletion, restriction of processing, or object to the processing of such personal data in accordance with point 6. They may also initiate the procedure specified in point 6.

9.2. Right to Rectification and Integration of Personal Data Processed

At the written request of the Data Subject, the Data Controller shall, without undue delay, correct inaccurate personal data provided by the Data Subject in writing or complete the incomplete data with the content indicated by the Data Subject. The Controller shall inform any recipient to whom it has disclosed the personal data of the rectification or completion unless this proves impossible or involves a disproportionate effort. The Controller shall inform the Data Subject of the data of such recipients if he or she so requests in writing.

9.3. Right to Restriction of Processing

The Data Subject may request from the Data Controller, in writing, the restriction of processing of their data if:

− They contest the accuracy of the personal data; in which case the restriction applies for a period allowing the Data Controller to verify the accuracy of the personal data.

− The processing is unlawful, and the Data Subject opposes the erasure of the data and requests the restriction of their use instead.

− The Data Controller no longer needs the personal data for processing purposes, but the Data Subject requires them for the establishment, exercise, or defense of legal claims.

− The Data Subject has objected to processing; in this case, the restriction shall apply for the period until it is verified whether the legitimate grounds of the Data Controller override those of the Data Subject.

A Data Controller may only process the restricted personal data, apart from storage, with the consent of the Data Subject or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. The Data Controller shall inform the Data Subject, whose request for restriction of processing has been granted, prior to lifting the restriction of processing.

9.4. Right to Erasure (Right to be Forgotten)

The Data Controller is obliged, upon request of the Data Subject, to erase the personal data concerning the Data Subject without undue delay if one of the following reasons applies:

− the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller;

− the Data Subject withdraws consent and there is no other legal basis for the processing;

− the Data Subject objects to the processing based on legitimate interests and there are no overriding legitimate grounds for the processing;

− the personal data have been unlawfully processed, and this has been established based on a complaint;

− the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the Data Controller is subject.

If the Data Controller has made the personal data concerning you, as the Data Subject, public and is obliged to erase it for any of the reasons mentioned above, the Data Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other data controllers processing the data that you have requested the erasure of any links to, or copy or replication of, those personal data. However, as a general rule, the Data Controller does not disclose the personal data of the Data Subject.

The erasure shall not apply where processing is necessary:

− for exercising the right of freedom of expression and information;

− for compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

− for the establishment, exercise, or defense of legal claims (e.g., if there is an outstanding claim against the Data Subject and it has not been satisfied yet, or if there is an ongoing consumer or data processing complaint).

9.5. Right to data portability

If the data processing is necessary for the performance of a contract or based on the Data Subject's voluntary consent, the Data Subject has the right to request that the data provided by the Data Subject to the Data Controller be received by the Data Subject in a machine-readable format. The Data Controller shall provide the data to the Data Subject in XML, JSON, or CSV format, if technically feasible. Additionally, upon request and if technically feasible, the Data Subject may ask the Data Controller to transmit the data to another data controller in one of the aforementioned formats.

The entitlement is limited to the data directly provided by the Data Subject; there is no possibility for the portability of other data (e.g., statistics, etc.).

The Data Subject shall provide the personal data relating to him or her that are contained in the Controller's system:

− be entitled to receive it in a structured, commonly used, machine-readable format;

− to transmit it to another controller;

− may request the direct transfer of the data to another controller - if technically feasible in the Controller's system.

The Data Controller fulfills requests regarding data portability exclusively based on a written request sent via email or postal mail. To fulfill the request, the Data Controller needs to ensure that it is indeed the entitled Data Subject who wishes to exercise this right. Within this right, the Data Subject can demand the portability of data that they themselves provided to the Data Controller. Exercising this right does not automatically result in the deletion of the data from the Data Controller's systems. Therefore, even after the Data Subject exercises this right, their data will still be retained in the Data Controller's systems unless they request deletion of their data as well.

9.6. Objection to the processing of personal data

The Data Subject may object to the processing of their personal data by the Data Controller through a statement addressed to the Data Controller if the legal basis for the data processing is:

− a public interest pursuant to Article 6(1)(e) of the GDPR; or

− legitimate interests pursued by the Data Controller or a third party according to Article 6(1)(f) of the GDPR.

In the event of exercising the right to object, the Data Controller shall cease processing the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims.

It is the decision of the Data Controller to determine whether compelling legitimate grounds exist for the processing. The Data Controller informs the Data Subject of its position regarding this matter in writing.

The Data Subject can only object to the processing of their personal data by submitting a written request, which must be sent to the Data Controller via email or postal mail.

9.7. Exercise of Rights of the Deceased Data Subject by Others

Within five years following the death of the Data Subject, the rights accorded to the deceased during their lifetime, such as the right of access, rectification, erasure, restriction of processing, data portability, and objection, may be exercised by a person authorized by the deceased through testamentary disposition or in a public document or a fully probative private document, specified with the Data Controller. If the deceased has made multiple such declarations with the Data Controller, the person named in the declaration made at a later date may assert these rights.

If the deceased has not made such a declaration, then the close relative as defined by the Civil Code may exercise the rights accorded to the deceased and specified in the preceding paragraph within five years following the death of the Data Subject (in the case of several close relatives, the right to exercise the aforementioned rights belongs to the close relative who first exercises this entitlement).

According to Section 8:1 (1) 1. of the Civil Code, close relatives include the spouse, direct relatives, adopted children, stepchildren, foster children, adoptive, step, and foster parents, and siblings of the deceased. The close relative of the deceased is obliged to prove:

− the fact and time of death of the deceased Data Subject with an extract from the death register or a court decision, and

− their own identity - and if necessary, their status as a close relative - with a public document.

The person exercising the rights of the deceased shall be entitled to the rights and shall be subject to the obligations that were accorded to the deceased during their lifetime, including actions against the Data Controller, and procedures before the National Authority for Data Protection and Freedom of Information or the court, in accordance with the GDPR and the Regulation.

Upon written request, the Data Controller is obliged to inform the close relative of the measures taken, unless expressly prohibited by the deceased in their declaration.

9.8. Deadline for Fulfillment of Requests

The Data Controller shall inform the Data Subject of the measures taken without undue delay, and in any case within one month of receipt of any request as per point 6. If necessary, considering the complexity and number of requests, this deadline may be extended by a further two months, but the Data Controller shall inform the Data Subject within one month of receipt of the request, indicating the reasons for the delay, as well as the right of the Data Subject to lodge a complaint with the supervisory authority and to seek judicial remedy.

If the Data Subject's request is clearly unfounded or excessive (especially due to its repetitive nature), the Data Controller may charge a reasonable fee for the provision of the requested information or refuse to act on the request. The burden of proof for this rests with the Data Controller.

If the Data Subject has submitted the request electronically, the information shall be provided electronically by the Data Controller, unless otherwise requested by the Data Subject.

The Data Controller shall inform all recipients of any rectification, erasure, or restriction of processing carried out by the Data Controller, unless this proves impossible or involves disproportionate effort. Upon request of the Data Subject, the Data Controller shall inform them about these recipients.

9.9. Compensation and Damages

Any person who has suffered material or non-material damage as a result of a violation of the Regulation is entitled to compensation from the Data Controller or the Data Processor for the damage suffered. The Data Processor shall only be liable for damages resulting from data processing if it has not complied with the obligations specifically imposed on data processors by law, or if it has disregarded or acted contrary to the lawful instructions of the Data Controller. The Data Controller or the Data Processor shall be exempt from liability if they can prove that they are in no way responsible for the event causing the damage.

10. Legal Remedies

The Data Subject may exercise their rights through a written request sent via email or postal mail.

The Data Subject cannot assert their rights if the Data Controller proves that it is unable to identify the Data Subject. If the Data Subject's request is clearly unfounded or excessive (especially considering its repetitive nature), the Data Controller may charge a reasonable fee for providing the requested information or refuse to act on the request. The burden of proof for this rests with the Data Controller. If there is doubt on the part of the Data Controller regarding the identity of the natural person submitting the request, it may request further information to confirm the identity of the requester.

The Data Subject may, under the Act on Informational Self-Determination and Freedom of Information, the Regulation, and the Civil Code (Act V of 2013),

− Turn to the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa u. 9-11; www.naih.hu) or

− Enforce their rights before a court. The lawsuit - at the choice of the Data Subject - can also be initiated before the court of their place of residence (you can find a list of courts and their contact information at the following link: http://birosag.hu/torvenyszekek).

11. Handling Data Protection Incidents

A data protection incident is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The data controller maintains records of measures taken regarding data protection incidents, informs the supervisory authority, and notifies the data subjects. These records include the scope of personal data involved, the number of data subjects affected, the timing, circumstances, effects of the incident, and the measures taken to address it. In the event of a data protection incident, unless it does not pose a risk to the rights and freedoms of natural persons, the data controller informs the data subjects and the supervisory authority without undue delay, but no later than 72 hours after becoming aware of the incident.

12. Other Provisions

The data controller reserves the right to unilaterally modify this Data Processing Information, with prior notice to the data subject, especially but not exclusively in the event of changes in legislation. The modifications shall take effect against the data subject on the date specified in the notification, unless objected to by the data subject.

If the data subject has provided third-party data to access the service and caused any harm in any way, the data controller is entitled to seek compensation from the data subject.

The data controller does not verify the personal data provided to them. The accuracy of the provided data is solely the responsibility of the person providing it. When providing personal data, the data subject also undertakes responsibility for ensuring that the provided data is accurate, and only they use the service with their personal data.

The data controller reserves the right to modify this Data Processing Information in a manner that does not affect the purpose and legal basis of the data processing.

However, if we intend to carry out further data processing for purposes other than those for which the data was collected, we will inform the data subject of the purpose of the data processing and all relevant information before further data processing.

Data processing can only commence after this, if the legal basis for processing is consent, the data subject must also consent in addition to being informed.