THE PROTECTION OF NATURAL PERSONS RIGHTS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

INTRODUCTION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR Regulation", "Regulation", General Data Protection Regulation) requires that the Data Controller shall take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, and to facilitate the exercise of the data subject's rights.

The obligation to inform the data subject in advance is also required by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information. The following notice is provided to comply with this legal obligation.

Why is this privacy notice made?

During its operation, the Data Controller handles personal data for several purposes, while respecting the rights of the data subjects and fulfilling legal obligations. The Data Controller also considers it important to present to the data subject the handling and the most important characteristics of the personal data that came to the controller’s knowledge during the data processing activities.

What is the legal basis of processing the data subjects’ personal data?

Personal data is only processed for a specific purpose and on an appropriate legal basis. These purposes and legal bases are presented individually, in relation to specific data processing.

What external assistance is used to process your personal data?

Personal data is mostly processed by the Data Controller at own premises. However, there are operations for which a data processor’s external help is necessary. The data processor may change according to the characteristics of each data processing.

Who is processing your personal data?

The Data Subject's personal data may be disclosed to the Data Controller or Data Processor named in Section I of this Privacy Notice and to those to whom the Data Subject's personal data is disclosed or transferred (collectively, recipients).

What principles does the Data Controller consider important when processing your personal data?

Personal data is processed in accordance with the applicable legislation, in particular Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR Regulation).

In the course of the Data Controller's activities, only the personal data specified in the scope of individual processing are processed and the security of the personal data provided is protected by technical and organisational measures that are both possible and necessary. Special attention will be paid to ensure the confidentiality, integrity and availability of personal data.

The Data Controller is responsible for the authenticity and accuracy of the personal data once they have been provided by the Data Subject. The terms used in this notice shall have the meaning given to them in the interpretative provisions of the GDPR Regulation and on the Right of Informational Self-Determination.

SECTION I

NAME OF THE CONTROLLER

The issuer of this privacy notice is also the Data Controller:

COMPANY NAME: Photon Technologies Limited Liability Company

REGISTERED SEAT: 9022 Győr, Liszt Ferenc utca 40.

COMPANY REGISTRATION NUMBER: 08-09-034570

TAX NUMBER: 26218362-2-08

REPRESENTED BY: Dániel Károly Csala Managing Director

CONTACT: Under the "contact" section at https://photon.rocks/

(hereinafter referred to as "Company", "Data Controller")

SECTION II

NAME OF THE DATA PROCESSORS

Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Regulation Article 4 8.)

To use a data processor, prior consent from the data subject is not required, but he or she must be notified. Accordingly, the following information is provided:

IT service provider

COMPANY NAME: Optimonk International Private Limited Company

REGISTERED SEAT: 4028 Debrecen, Kassai út 129.

COMPANY REGISTRATION NUMBER: 09-10-000583

TAX NUMBER: 26335498-2-09

WEBSITE: https://www.optimonk.hu/

Payment service provider for bank card transactions:

COMPANY NAME: Barion Payment Zártkörűen Működő Részvénytársaság

REGISTERED SEAT: 1117 Budapest, Infopark sétány 1. I. ép. 5. em. 5.

COMPANY REGISTRATION NUMBER: 01-10-048552

TAX NUMBER: 25353192-2-43

Data processor performing accounting and payroll tasks:

COMPANY NAME: Reliable Account Szolgáltató Kft.

REGISTERED SEAT: 1043 Budapest, Csányi László utca 34.

COMPANY REGISTRATION NUMBER: 01-09-969884

TAX NUMBER: 23529515-2-41

Data processor performing invoicing activities:

COMPANY NAME: Billingo Technologies Zrt.

REGISTERED SEAT: 1133 Budapest, Árbóc utca 6. I. emelet

COMPANY REGISTRATION NUMBER: 01-10-140802

TAX NUMBER: 27926309-2-41

WEBSITE: https://www.billingo.hu/

Furthermore, the data controller transfers data to the respective photo and video contractors.

Other Recipients:

COMPANY NAME: Google LLC

REGISTERED SEAT: Gordon House, Barrow Street, Dublin 4, Ireland

(Entity listed in DPF)

WEBSITE: https://www.google.co.uk/

COMPANY NAME: Meta Platforms, Inc.

REGISTERED SEAT: 4 Grand Canal Square, Grand Canal Harbour Dublin 2, Ireland

(Entity listed in DPF)

WEBSITE: https://www.facebook.com/

COMPANY NAME: Stripe, Inc.

REGISTERED SEAT: 354 Oyster Point Blvd South San Francisco, CA 94080

(Entity listed in DPF)

WEBSITE: https://stripe.com/en-hu

COMPANY NAME: Adobe Inc.

REGISTERED SEAT: 345 Park Avenue San Jose, CA 95110

(Entity listed in DPF)

WEBSITE: https://www.adobe.com/

COMPANY NAME: PayPal Holdings, Inc.

REGISTERED SEAT: 2211 North First Street, San Jose, CA 95131, US

WEBSITE: https://www.paypal.com/

COMPANY NAME: Twilio Inc. (SendGrid)

REGISTERED SEAT: 101 Spear St FL 5 San Francisco, CA 94105

(Entity listed in DPF)

WEBSITE: https://sendgrid.com/

COMPANY NAME: CONTABO GMBH

REGISTERED SEAT: Aschauer Straße 32a, 81549 München

WEBSITE: https://www.contabo.com/

COMPANY NAME: CLOSTE LLC

REGISTERED SEAT: 1603 Capitol Ave., Suite 310 A546, Cheyenne, Wyoming 82001

WEBSITE: https://www.closte.com/

COMPANY NAME: JN PROJECTS, INC // HELLOSIGN INC (DROPBOX INC COVERED)

REGISTERED SEAT: 333 Brannan St San Francisco, CA, 94107-1810 United States

WEBSITE: https://www.hellosign.com/

COMPANY NAME: WeTransfer B.V.

REGISTERED SEAT: Willem Fenengastraat 19 1096 BL Amsterdam The Netherlands

TAX NUMBER: NL826110976B01

WEBSITE: https://wetransfer.com/

COMPANY NAME: Hotjar Ltd.

REGISTERED SEAT: Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta

WEBSITE: https://www.hotjar.com/

Where the Privacy Notice generally refers to transfers to the Company's data processors, such transfers shall also be understood as transfers to the above recipients.

SECTION III.

LAWFULNESS OF PROCESSING

1. Data processing based on the data subject’s consent

1.1. Where the Company intends to carry out data processing based on consent, the data subject's consent to the processing of his or her personal data shall be obtained by means of the data request form and information as set out in the Data Processing Policy.

1.2. Consent shall also be deemed to be given if the data subject ticks a box when viewing the Company's website, makes the relevant technical settings when using information society services, or makes any other statement or takes any other action which clearly indicates the data subject's consent to the intended processing of his or her personal data in the relevant context. Silence, ticking a box or inaction therefore does not constitute consent.  The continuation of a telephone call after having been duly informed shall constitute consent.

1.3. Consent covers all processing activities carried out for the same purpose or purposes. Where processing is carried out for more than one purpose, consent shall be given for all the purposes for which the processing is carried out.

1.4. Where the data subject gives his or her consent in the context of a written statement which also relates to other matters, such as the conclusion of a sales or service contract, the request for consent must be presented in a manner clearly distinguishable from those other matters, in a clear and easily accessible form, in clear and plain language. Any part of such a statement containing the consent of the data subject which is in breach of the Regulation shall not be binding.

1.5. The Company shall not make the conclusion or performance of a contract conditional on the giving of consent to the processing of personal data which are not necessary for the performance of the contract.

1.6. The withdrawal of consent must be made as simple as the giving of consent.

1.7. If the collection of personal data has been carried out with the consent of the data subject, unless otherwise provided by law, the data controller may process the collected data for the purpose of fulfilling a legal obligation to which the data controller is subject, even without the data subject's further consent and after the data subject's consent has been withdrawn.

2. Data processing based on performing legal obligations

2.1. In the case of data processing based on performing legal obligations, the scope of the data that can be processed, the purpose of the data processing, the duration of data storage and the recipients are governed by the provisions of the underlying legislation.

2.2. The processing of personal data for compliance with a legal obligation is based on the regulation, regardless of the consent of the data subject.

In this case, prior to the processing of the data, the data subject shall be informed that the data processing is obligatory and shall be clearly and in detail informed of all facts concerning the processing, in particular the purpose and legal basis of the data processing, the person authorized to handle and process the data, the duration of the data processing, whether the personal data of the data subject are processed by the Data Controller on the basis of the legal obligation applicable to him or her, and who can get access to the data. The information shall include the rights and remedies available to the data subject. In the case of mandatory data processing, the information may also take place with the publication of a reference to the legislative provisions which contain the foregoing information.

3. Data processing based on legitimate interests

3.1. The legitimate interests of the Company or a third party may provide a legal basis for the processing, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. The reasonable expectations of the data subject based on his or her relationship with the controller should be taken into account, so that the processing of personal data for contact purposes, even for direct marketing purposes, may be considered to be based on legitimate interests.

3.2. The processing based on legitimate interests requires a balancing of interests test, in which the Company will always take into account the current circumstances and the situation of the controller and the data subjects. In the case of processing in the interest of the Company, the balancing of interests tests carried out separately have led to the following result: in the balancing of interests test, the Company has concluded, taking into account the conditions described for the processing in question, that the processing is justified subject to the appropriate safeguards, as set out in this Policy, without which the Company would not be able to operate competitively. In this light, the emotional impact on data subjects and the harm to their right to privacy can be considered proportionate.

4. Data processing for the protection of the vital interests of the data subject or other natural person

4.1. Protection of the life or other vital interests of the data subject or the interests of another natural person may also constitute a legal basis for processing. Such is the case for a natural person where processing is carried out in order to receive healthcare services or to prevent the spread of epidemics.

5. Data processing based on contractual interests

5.1. Data processing may also be based on a contractual interest if it is necessary for the performance of a contract in which the data subject is a party or if it is requested by the data subject in order to prepare the contract.

6. Promoting the rights of the data subject

6.1. The Company is obliged to ensure the exercise of the rights of the data subject during all data processing.

SECTION IV

INFORMATION ABOUT DATA PROCESSING BY THE COMPANY

Data processing of a natural person (either a private entrepreneur or an individual who issues an invoice) who has entered into a contract with the Data Controller

(1) On the basis of performing the contract, the Company may process the name, birth name, date of birth, mother's name, address, tax identification number, tax number, registration number, residence, registered seat, telephone number, email address, website address, bank account number, customer number (client number, order number), online identifier (customer lists, supplier lists, loyalty program lists) of the natural person with whom the Company has a contractual relationship, including for the purpose of preparing, concluding, performing, terminating the contract, and offering contractual benefits - summarized as supporting economic processes in the common interest. Such data processing is also lawful if it is necessary to take steps upon the request of the data subject prior to the conclusion of the contract.

(2) In view of the Company's long-term business relationship, the storage duration of the personal data is 8 years after the termination of the contract.

(3) Recipients of personal data: personal data may be accessed by employees of the Data Controller who are involved in the preparation, execution and storage of the contract. Executive officers of the Company, employees performing customer service related tasks, contact persons, data processors of the Company, in particular employees performing sales tasks, and data processors. Furthermore, the bodies specified by law which are authorised to monitor by the law.

(4) The personal data may be transferred for postal delivery purposes to the Hungarian Post or the contracted delivery service, for the purpose of asset protection to the data controller's asset protection agent, and to the data controller's data processors.

(5) The processing shall be considered lawful if it is necessary in the context of a contract or the intention to conclude a contract (Preamble 44) if it is necessary for the purposes of taking steps at the request of the data subject prior to the conclusion of the contract (Article 6 (1) b.). Thus, personal data collected in the context of contractual offers may also be processed for the purposes of the performance of a contract as described in this point. When making or receiving an offer, the Company is obliged to inform the offeror or the offeree of the offer.

Data processing related to the issuing of invoices and the storage of supporting documents for contracts concluded by the data controller.

(1) Purpose of data processing: to issue invoices and fulfil the obligation to store accounting documents in order to pay the consideration for the service pursuant to Act CXXVII of 2007 on value added tax.

(2) Data subjects: the natural person who has entered into a contract with the Data Controller or the representative of the person who has entered into a contract with the Data Controller.

(3) Scope of personal data that can be processed: name and address of the natural person; name, registered seat and tax number of the private entrepreneur; tax number of the legal person

(4) Legal basis for processing: necessary for the fulfilment of a legal obligation of the Data Controller. [Article 6(1)(c) GDPR]

(5) Recipients and categories of recipients of the personal data: data processors of the Company, in particular employees performing accounting and tax tasks, and data processors. National Tax and Customs Administration

(6) Storage period of personal data: pursuant to Article 169 (2) of Act C of 2000 on Accounting, for 8 years after the invoice is issued.

Processing of data of natural persons signing a contract on behalf of a legal person entering into a contract with the Data Controller

(1) Purpose of the processing: the purpose of the processing is to establish a contract, exercise the rights and obligations contained in the contract, enforce any civil law claims that may arise in the performance of the contract, and to record and fulfil the obligations undertaken by the Data Controller.

(2) Data subjects: natural persons who sign the contract

(3) Scope of personal data that can be processed: the natural person who signs:

• Name, title (job title)
• E-mail address
• telephone number
• mailing address
• specimen signature

(4) Legal basis for processing: the legitimate interests of the Data Controller based on the following balancing of interests test [Article 6(1)(f) GDPR].

The Data Controllers assess whether the legal basis for the processing of the natural persons who have signed the contract is in accordance with the legitimate interest referred to in Article 6(1)(f) GDPR and that the processing does not adversely affect the interests or fundamental rights and freedoms of the Data Subjects in such a way that the legitimate interests of the Data Controllers are overridden (the specific interests or fundamental rights and freedoms of the Data Subject do not prevail over the interest).

The processing of the specimen signature is necessary to comply with the Data Controller's legal obligations. [Article 6 (1) (c) GDPR] The Data Controller is obliged to process the signature of the contracting partner's representative pursuant to Section 3:116 (1) of Act V of 2013.

(5) Recipients and categories of recipients of the personal data: the personal data may be accessed by the employees of the Data Controller who are involved in the preparation, execution and storage of the contract. Executive officers of the Company, employees performing customer service related tasks, contact persons, employees of the Company performing sales tasks. In addition, the bodies specified by law as authorised by law to carry out monitoring.

(6) Storage period of personal data: 8 years after termination of the contract.

Processing of the data of the natural person indicated as contact person in the contracts - not the signatory

(1) Purpose of data processing: to ensure the communication in connection with the performance of the contract, document, the facilitation of the performance, the maintenance of the contractual relationship.

(2) Data subjects: natural persons designated as contact persons - not signatories

(3) Scope of personal data that can be processed: natural person designated as the contact person

• Name, title (job title)
• E-mail address
• telephone number
• mailing address

(4) Legal basis for processing: the legitimate interests of the Data Controller based on the following balancing of interests test [Article 6(1)(f) GDPR].

The Data Controllers assess that the legal basis for the processing of the external partners' contact persons' data is in accordance with the legitimate interest referred to in Article 6(1)(f) of the GDPR and that the processing does not adversely affect the interests or fundamental rights and freedoms of the Data Subjects in such a way that the legitimate interests of the Data Controllers are overridden (the specific interests or fundamental rights and freedoms of the Data Subject do not prevail over the interest).

(5) Recipients and categories of recipients of the personal data: the personal data may be accessed by the employees of the Data Controller who are involved in the preparation, execution and storage of the contract. Employees of the Company, employees performing customer service tasks, contact persons, employees of the Company performing sales tasks. In addition, the bodies specified by law as authorised by law to carry out monitoring.

(6) Storage period of personal data: 8 years after termination of the contract.

Sending messages, registration on the Company's website

(1) A natural person sending a message or registering on the website may give his/her consent to the processing of his/her personal data by ticking the relevant box.

(2) The scope of personal data that can be processed: the name (surname, first name), address, telephone number, e-mail address, online identifier, billing and postal name and address of the natural person.

(3) Purpose of the processing of personal data:

Requests for services, requests for information and offers

(4) Legal basis for data processing: the data subject's freely given consent [Article 6(1)(a) GDPR]. Freely given consent may be withdrawn at any time. We inform you that the withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal. Please include your name and e-mail address in the request for erasure for identification purposes.

(5) The recipients and categories of recipients of personal data: the employees of the Company performing tasks related to customer service, marketing activities, data processors of the Company as data processors, in particular the IT, Marketing service provider of the Company.

(6) Storage period of personal data: 5 years or until the data subject's consent is withdrawn (request for erasure).

(7) The data subject acknowledges that the submission of the data is not a requirement for the conclusion of a contract and is not obliged to provide his/her personal data. The possible consequence of not providing the data is the failure to provide information or to conclude a contract.

Data processing in the Company's webshop

(1) Purchases made in the webshop operated by the Company shall be considered as a contract, taking into account Article 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, and Government Decree 45/2014 (26.II.) on the detailed rules of contracts between consumers and businesses.In case of purchases made in the webshop, the legal title of data processing is the contract.

(2) The Company may process the personal identification data and the address necessary for the identification of the customer registering and purchasing in the webshop, for the purpose of establishing, defining, modifying, monitoring the performance, invoicing fees, and enforcing claims related to contracts for providing information society services, on the basis of Article 13/A (1) of Act CVIII of 2001, as well as the telephone number, e-mail address, bank account number and online identifier of the customer, on the basis of consent.

(3) For billing purposes, the Company may process the personal identification data, address, delivery address, as well as data related to the time, duration, and location of the use of the information society service, under the legal basis of Article 13/A (2) of Act CVIII of 2001.

(4) The recipients and categories of recipients of personal data: the Company's employees performing tasks related to customer service, finance, delivery, marketing activities, as data processors, the Company's data processors, in particular the employees of the company performing the Company's tax and accounting tasks, for the purpose of fulfilling tax and accounting obligations, the employees of the Company's IT service provider for the purpose of fulfilling hosting services, the employees of the courier service in relation to delivery data (name, address, telephone number), the Company's account manager and the respective photo and video contractors.

(5) Duration of the processing of personal data: until the registration/service is completed or until the data subject's consent is withdrawn (request for erasure), in case of a purchase, until the end of the 8th year following the year of purchase.

Data processing related to newsletter services

(1) The natural person registering for the newsletter service on the website, acting on behalf of a legal entity, acknowledges by ticking the relevant box that, for the purpose of sending newsletters, marketing enquiries, information material, the data subject's consent is required to process his/her data until the service is active or until the request for erasure (unsubscribe request sent by email) is received.

Pre-checking the box is prohibited. At the time of subscription, a link to the Privacy Notice (Annex 2) must be made available. The data subject can unsubscribe from the newsletter at any time by written or email declaration. In such cases, all data of the unsubscriber must be promptly deleted.

(2) The scope of the personal data processed: the name of the natural person (surname, first name), e-mail address.

(3) Scope of data subjects: Subscribers to the newsletter.

(4) Purpose of processing personal data:

• Sending newsletters regarding the Company's services
• Sending promotional materials, informational content

(5) Legal basis for processing: freely given consent of the data subject. [Article 6(1)(a) GDPR]. Freely given consent may be withdrawn at any time. We inform you that the withdrawal of your consent does not affect the lawfulness of the processing prior to the withdrawal. In the request for erasure, the name and e-mail address of the data subject must be indicated for identification purposes.

The legal consequence of not giving consent is that the service is not provided.

(6) The recipients and categories of recipients of personal data: employees of the Company performing customer service and marketing tasks, data processors of the Company as data processors, in particular, the newsletter, marketing and IT service provider's employees for the purpose of performing hosting services.

(7) Duration of the storage of personal data: In case of a newsletter, the Data Controller processes the data provided by the data subject when subscribing to the newsletter until the data subject unsubscribes from the newsletter by clicking on the "Unsubscribe" button at the bottom of the newsletter. In case of unsubscription, the Data Controller will no longer send the newsletter to the data subject. The data subject may unsubscribe from the newsletter and withdraw his/her consent at any time, free of charge.

(8) The data subject acknowledges that the submission of data is not a requirement for the conclusion of a contract, and is not obliged to provide his/her personal data. The possible consequence of not providing the data is the non-delivery of the newsletter.

Data processing in relation to social media (Facebook, Instagram)

(1) Our company has limited influence over the data processing activities of social media platform operators. In places where we can influence and parameterize it, within the available options, we promote data processing practices that are compliant with data protection regulations. However, in most cases, we have no control over the operator's activities, so we have no information about exactly what data is processed.

Facebook's privacy policy can be found at: https://www.facebook.com/privacy/explanation/

Instagram's privacy policy can be found at: https://help.instagram.com/519522125107875

(2) The Data Controller manages its own page on Facebook. The data subject can subscribe to the news feeds posted on the Facebook page's timeline by clicking on the "thumbs up" or "like" link on the pages. To communicate with the Data Controller via Facebook, you must be logged in. For this purpose, Facebook also requests, stores and processes personal data. The Controller has no control over the type, scope and processing of these data and does not receive personal data from the Facebook operator. On Facebook pages, the Data Controller processes the personal data of followers on the basis of the freely given consent of the followers, which is considered as given by the fact that the person likes, follows or comments on the page or posts. By requesting a service on the Controller's Facebook page, the data subject declares that he or she is over 16 years of age. A person under 16 years of age shall, pursuant to Article 8(1) of the GDPR, require the consent of his or her legal representative in order to give his or her consent to the processing. The controller is not in a position to verify the age and authorisation of the person giving the consent, so the data subject guarantees that the data provided are valid.

(3) Purpose of data processing: providing information about current updates, news related to the Data Controller, advertising on social media platforms, presenting and promoting services. The Data Controller uses the Facebook page for marketing purposes to introduce its services to interested parties and to establish communication with them.

(4) Legal basis for processing: the data subject's freely given consent (in accordance with the Facebook, Instagram, Linkedin and YouTube Privacy Policy)

(5) Scope of data processed: the name of the data subject; data subjects: users of the social media platform

(6) Duration of data processing: the data subject can unsubscribe from following the Data Controller's Facebook page by clicking the "dislike" or "unlike" button, or they can remove unwanted content using the settings of the page's timeline. The processing continues as long as the service is active.

(7) Recipients: employees of the data controller performing customer service and marketing-related tasks, data processors of the Company as data processors, in particular the IT service provider of the Company.

(8) The data subject acknowledges that the submission of data is not a requirement for the conclusion of a contract and is not obliged to provide his/her personal data. The possible consequence of not providing the data is the failure to inform the Data Subject about current news and services concerning the Data Controller.

Data processing related to organising a prize draw

(1) If the company organises a prize draw (Article 23 of Act XXXIV of 1991), it may process the name, address, telephone number, e-mail address, online identifier and tax identification number of the natural person data subject on the basis of his or her consent. Participation in the game is voluntary. Consent to the processing of personal data is deemed to be given by accepting this policy and participating in the game.

(2) Purpose of the processing of personal data: to determine the winner of the prize draw, to notify the winner, to send the prize, to contact for marketing purposes, to send information material.

(3) Legal basis for processing: the freely given consent of the data subject [Article 6(1)(a) GDPR].

The freely given consent may be withdrawn at any time. We inform you that the withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal. Please include your name and e-mail address in the request for erasure for identification purposes.

(4) The recipients and categories of recipients of personal data: the Company's employees performing marketing and customer service tasks, the Company's data processors as data processors, in particular the Company's IT service provider, accounting employees, courier service employees and the other data processors named in the Company's other privacy policies. With explicit consent, the Company may display the names of the winners on its Facebook and Instagram pages, informing the data subjects in the privacy notice that the winners announcement may be shared by others. On social networking sites, implied conduct may be considered as consent.

(5) Period of storage of personal data: 5 years, 8 years in the case of winners for the purpose of storing accounting records.

Processing data on applicants for recruitment, applications, CVs

(1) The personal data that can be processed: the natural person's name, date and place of birth, mother's name, address, photograph, telephone number, e-mail address, details of professional history, experience, education and qualifications.

If, following the application of the data subject, a personal interview of the data subject takes place, the Data Controller shall make a record of it, the content of which shall also be considered personal data.

(2) Purpose of the processing of personal data:

• to identify the data subject,
• to evaluate the data subject's job application submitted to the Data Controller,
• the participation of the data subject in the selection process,
• to select the data subject with the appropriate skills and professional experience for the position advertised by the Controller,
• contacting and maintaining contact with the data subject during the selection process,
• offering the data subject a subsequent job offer if the data subject is not selected by the Data Controller for the advertised position.

(3) Legal basis for processing: by submitting a job application, the data subject consents (Article 6(1)(a) GDPR) to the processing of his/her personal data ("consent" is considered to be given upon submission of the application).

(4) Recipients and categories of recipients of personal data: executives with authority to exercise employer rights within the Company, employees responsible for labor-related tasks.

(5) Storage period of personal data: the Data Controller shall erase the personal data of the data subject until 31 December of each year following the submission of the job application or until the withdrawal of the data subject's consent.

The Controller shall erase the documents sent by the data subject without delay at the request of the data subject. If the data subject requests the erasure of his or her personal data before the end of the selection process, the data subject shall not be able to participate in the selection process.

Please note that information publicly available on social networking sites (Facebook, Linkedin, Instagram, Twitter, etc.) may be checked when the application is being evaluated. This will be kept for informational purposes only and will not be copied, printed or recorded in any way.

Data processing for the fulfilment of tax and accounting obligations

(1) The Company processes the data of natural persons who come into contact with the Company for the purposes of fulfilling its legal obligations, tax and accounting obligations (accounting, taxation), as defined by law. The processed data include those specified by the Act CXXVII of 2017 on value-added tax, particularly: tax number, name, address, tax status; and those specified by Act C of 2000 on accounting, specifically: name, address, indication of the person or organization ordering the economic transaction, the authorizer and the person certifying the execution of the instruction, and depending on the organization, the signature of the auditor; on stock movement vouchers and cash management vouchers, the signature of the receiver, and on counterfoils, the signature of the payer; pursuant to Act CXVII of 1995 on Personal Income Tax: tax identification number.

(2) Data processing related to keeping travel records and trip sheets (in relation to vehicles usable by multiple authorized persons): The Company processes the legally required data regarding the use of company-owned and employee-used vehicles for official and business purposes, for the purposes of cost reimbursement, documentation, determination of tax bases, and accounting for fuel savings. The processed data include the name of the vehicle driver, vehicle type, license plate number, date and time of travel, destination, route taken, and name of visited business partner, as specified by the relevant legislation: Section 27 of the 1995. CXVII. tv. (Szja.) and Annexes 2, 3, point 6, and Annex 5, point 7.

(3) The duration of personal data storage is 8 years following the termination of the legal relationship that provides the legal basis.

(4) Recipients of personal data: Employees and data processors of the Company responsible for tax, accounting, payroll, and social insurance tasks.

Data processing for payment purposes

(1) The Company processes the personal data of data subjects – employees, their family members, other beneficiaries – with whom it has a payer relationship (Section 7 31. of the Act CL of 2017 on the Rules of Taxation (Art.)) for the purpose of fulfilling its legal obligations, performing tax and contribution obligations prescribed by law (determining taxes, tax advances, contributions, payroll processing, social security, pension administration). The scope of processed data is determined by Section 50 of the Art., specifically highlighting: the natural person's personal identification data (including previous name and title), gender, nationality, the natural person's tax identification number, social security identification number (TAJ number). If tax laws impose legal consequences to this, the Company may process data related to employees' healthcare (Section 40 of the Szja.) and trade union membership (Section 47 (2) b. of the Szja) for the purpose of fulfilling tax and contribution obligations (payroll processing, social security administration).

(2) The storage period of personal data is 8 years after the termination of the legal relationship providing the legal basis.

(3) Recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (payroll) functions.

Data processing of documents of lasting value under the Archives Act (Act LXVI of 1995)

(1) The Company shall, for the purpose of fulfilling its legal obligation, process documents of lasting value pursuant to Act LXVI of 1995 on public records, public archives and the protection of private archival material (Archives Act), in order to ensure that the lasting value of the Company's archival material is preserved intact and in a usable condition for future generations. Duration of storage: until the transfer to the public archives.

(2) Recipients of the personal data: the manager of the Company, employees of the Company who are responsible for document management and archiving, employees of the public archives.

SECTION V

VISITOR DATA PROCESSING ON THE COMPANY'S WEBSITE - INFORMATION ABOUT COOKIES USAGE

1. Visitors to the website must be informed about the usage of cookies on the website, and their consent must be obtained for this purpose, except for technically essential session cookies.

A cookie is a small text file that is stored in the long-term data storage (HDD, SSD) of the user's computer or mobile device for the duration set in the cookie, and it is reactivated during subsequent visits. Its purpose is to record data related to the visit and personal settings, but these cannot be linked to the identity of the visitor. It helps in designing user-friendly websites and enhancing the online experience of the user. If the user does not consent to the Data Processor using cookies, they must discontinue using the website.

Purpose of data processing:

• Recording your settings and usage habits to facilitate navigation on the site and thus make it easier to use the website.
• Improving user experience by collecting information on how you use the website, which pages you visit or use most frequently, so we can provide an even better user experience when you revisit our website.
• Collecting statistics to analyze how you use the website and other online services, which can then be further developed.
• Developing and fine-tuning the website according to your needs.
• Identifying possible malicious IT operations.

Legal basis for processing: in case of cookies that are essential for the proper functioning of the website, the legitimate interest of the data controller [Article 6(1)(f) GDPR].

The Data Controller has a legitimate interest in ensuring the secure functioning of its website.

Where the legal basis for the processing is the legitimate interest pursued by the Data Controller, you, as the Data Subject (i.e. the person who uses or visits the website), have the right to object at any time to any such processing of your personal data on grounds relating to your particular situation. In such cases, the data controller is obliged to examine the objection submitted by the data subject and, based on the so-called balance of interests (the comparison of the interests of the data controller and the data subject), decide on the continuation, possible restriction, or termination of the data processing. In order to justify the legitimate interests, the Data Controller has established a so-called "balancing of interests test".

The legal basis for the processing of other cookies is the freely given consent of the data subject [Article 6(1)(a) of GDPR].Freely given consent may be withdrawn at any time. Please be informed that the withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal. Please include your name and e-mail address in the request for erasure for identification purposes.

Scope of data involved in data processing: by placing cookies and re-reading them, we process visitors' data and information relating to their use of the website and their browsing in accordance with the purposes of the processing.

Duration of data processing: We distinguish between cookies stored until the end of the current session and those kept for a specified longer period. Different cookies are stored only for a specified duration to achieve their intended purpose. The data subject can delete cookies stored on their computer or mobile phone at any time through their browser settings.

2. Detailed information about cookies

2.1 A cookie is a piece of data that the visited website sends to the visitor's browser (in the form of a variable name value) so that it can be stored and later loaded by the same website. A cookie can have a validity period, valid until the browser is closed, or for an unlimited period of time.  Later, for each HTTP(S) request, this data is also sent by the browser to the server. In this way, the data on the user's computer is modified.

2.2 The nature of modern website services require cookies, with the function of identifying a user (for example, that they have accessed the site) and processing them accordingly, even identifying them on their subsequent return. The danger lies in the fact that the user is not always aware of this and may be tracked by the website operator or other service provider whose content is embedded in the site (e.g. Facebook, Google Analytics), thereby creating a profile of the user, in which case the content of the cookie may be considered personal data.

2.3. Types of cookies:

2.3.1. Technically essential session cookies: cookies that are necessary to identify the user, e.g. to check whether he/she has logged in, what he/she has added to the shopping cart, etc.

Typically, these cookies store a session ID, while other data is stored on the server, making it more secure. There is a security aspect to consider; if the session cookie value is not properly generated, there is a risk of session hijacking attacks, therefore, it is essential for these values to be generated correctly. In other terminologies, all cookies that are deleted when you exit the browser are called session cookies (a session being a browsing session from start to exit).

2.3.2. Usage-enhancing cookies: These are cookies that remember user choices, such as how the user prefers to view the site. Essentially, these types of cookies store configuration data in the cookie.

2.3.3. Performance-enhancing cookies: Although they are not directly related to "performance," these are usually cookies that gather information about the user's behavior within the visited website, including time spent and clicks. These cookies are typically third-party applications (e.g., Google Analytics, AdWords, or Yandex.ru cookies). These can be used to profile the visitor.

You can find out more about Google Analytics cookies here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

You can find out about Google AdWords cookies here:

https://support.google.com/adwords/answer/2407785?hl=hu

2.4 You are not obliged to accept the use of cookies or to allow their use.  You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. While most browsers automatically accept cookies by default, this setting can usually be changed to prevent automatic acceptance.

To find out about cookie settings for the most popular browsers, click on the links below

- Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu

- Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn

- Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11

- Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7

- Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9

- Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8

- Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq

- Safari: https://support.apple.com/hu-hu/HT201265

However, please note that some website features or services may not function properly without cookies.

3. Information about the cookies used on the Company's website and the data generated during the visit

3.1. Data processed during the visit Our Company's website may record and process the following data about the visitor and the device used for browsing when visiting the website:

• the IP address used by the visitor,
• the browser type,
• the characteristics of the operating system of the device used for browsing ( the language set),
• date of the visit
• the (sub)page, function or service visited.
• click.

This data is kept for a maximum of 90 days and may be used primarily to examine security incidents.

3.2. Cookies Used on the Website

3.2.1. Technically essential session cookies

Purpose of data processing: Ensuring the proper functioning of the website. These cookies are necessary for visitors to browse the website smoothly and fully utilize its functions, as well as the services available through the website, including - among others - remembering actions performed by the visitor on specific pages or identifying logged-in users during a visit. The duration of data processing for these cookies applies solely to the visitor's current session; once the session ends or the browser is closed, this type of cookies is automatically deleted from the visitor's computer.

The legal basis for this data processing is Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elkertv.), which allows the service provider to process personal data that are technically necessary for providing the service. The service provider has to select and in any case operate the means used in the course of providing the information society service in such a way that personal data are processed only if absolutely necessary for the performance of the service and the fulfilment of the other purposes specified in this Act, but in this case only to the extent and for the duration necessary.

3.2.1. Usage-enhancing cookies:

These cookies remember user preferences, such as how the user prefers to see the website. These types of cookies are basically the settings data stored in the cookie.

The legal basis for data processing is the visitor's consent.

Purpose of data processing: Increasing service efficiency, enhancing user experience, making website usage more convenient.

This data is typically stored on the user's device, and the website can only access and recognize the visitor through it.

3.2.2. Performance-enhancing cookies:

They collect information about the user's behavior within the visited website, including time spent and clicks made.

Legal basis for data processing: User consent.

Purpose of data processing: Website analysis, sending advertising offers.

SECTION VI

INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

I. A brief summary of your rights:

You have the following rights which you can request from the Data Controller:

• information about the processing of your personal data (before the start of the processing, as well as during the processing). Your right to information is ensured by the preparation and publication of this Privacy Notice.
• access to your personal data (provision of your personal data by the controller),
• rectification or completion of your personal data,
• erasure or restriction (blocking) of your personal data, except for mandatory processing,
• right to data portability,
• objection to the processing of your personal data,
• right to not be subject to a decision based solely on automated processing – including profiling – which would have legal or similarly significant effects on you,
• right to remedy.

According to the section on enforcement options and legal remedies related to data processing, you can submit your request to the Data Controller in writing. The Data Controller will fulfill your lawful request within a maximum of 30 days and notify you of this by letter sent to the contact information provided by you.

II. Your rights in detail:

The right to information (based on the obligations of data controllers set forth in Articles 13-14 of the GDPR)

You may request information in writing from the Data Controller in accordance with the section on enforcement options and legal remedies related to data processing, about. what personal data,

• on what legal basis,
• for what purpose of data processing,
• from what source,
• for how long it is processed,
• whether a data processor is involved, and if so, the name, address and activities of the data processor,
• to whom, when, under what law, access to which of your personal data has been provided or to whom your personal data has been transferred by the Controller,
• the circumstances of any data breach, its effects and the measures taken to remedy it.

Right of access (under Article 15 of the GDPR Regulation)

You have the right to receive feedback from the Controller whether your personal data are being processed and, if such processing is ongoing, you have the right to access the personal data processed which you may request in writing from the Controller in accordance with the section on enforcement options and legal remedies related to data processing.

The Controller will provide you with a copy of the personal data which are subject to processing, unless there are other legal obstacles. If you have made the request by electronic means, the information shall be provided in a commonly used electronic format, unless you request otherwise.

Right to rectification and completion (under Article 16 of the GDPR Regulation)

You may request in writing, in accordance with the section on enforcement options and legal remedies related to data processing, that the Controller amend any of your personal data (for example, you may at any time change your email address or postal address or request that the Controller rectify any inaccurate personal data processed by the Controller).

Taking into account the purpose of the processing, you have the right to request that any incomplete personal data processed by the Controller should be duly completed.

Right to erasure (based on Article 17 of the GDPR Regulation)

The erasure of personal data can be requested mainly if our processing is based on your freely given consent, e.g. you have given your consent to the processing of your data (phone number, e-mail address). In such event, we will erase your personal data.

Your freely given consent can be withdrawn at any time. We inform you that the withdrawal of your consent does not affect the lawfulness of the processing that took place before the withdrawal. Please include your name and e-mail address in the request for erasure for identification purposes.

Right to restriction of processing (under Article 18 of the GDPR Regulation)

You may request the Controller by writing to restrict your personal data (by clearly indicating the restricted nature of the processing and ensuring that the processing is kept separate from other data) in accordance with the section on enforcement options and legal remedies related to data processing.

The restriction will remain in place until the specified reason necessitates the storage of the data. You may request the data restriction, for instance, if you believe that the Controller has unlawfully processed your submission, but it is necessary for the Controller to retain the submission for the authority or judicial proceedings initiated by you.

In this case, the Controller will continue to store the personal data (such as the submission in question) until a request is made by the authority or the court. After that, the data will be erased.

Right to data portability (under Article 20 of the GDPR Regulation)

You may, in accordance with the section on enforcement options and legal remedies related to data processing, request in writing to receive your personal data which you have provided to the Controller in a structured, commonly used, computer-readable format, and you have the right to transfer these data to another controller without the Controller’s hindrance, if

• the processing is based on consent in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation, or
• a contract in accordance with Article 6(1)(b); and
• the processing is carried out by automated means

Right to object (under Article 21 of the GDPR)

You have the right to object in writing, through the contact details provided in the section on enforcement options and legal remedies related to data processing, against the processing of your personal data necessary for the legitimate interests pursued by the Data Controller or a third party as referred to in Article 6(1)(f) of the General Data Protection Regulation, including profiling based on these provisions.

In this case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

Automated decision-making in individual cases, including profiling (under Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing – including profiling – which would have legal or similarly significant effects on you.

This right does not apply in the case where the decision:

1. is necessary for the conclusion or performance of the contract between you and the controller;
2. b) is allowed by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
3. based on your explicit consent.

In the cases referred to in points (a) and (c), the controller shall take appropriate measures to protect your rights, freedoms and legitimate interests, including at least the right to request human intervention from the controller, to express your point of view and to object to the decision.

SECTION VII

ENFORCEMENT OPTIONS AND LEGAL REMEDIES RELATED TO DATA PROCESSING

Contact the Controller

We recommend that you send the Controller your request or complaint about the processing of your personal data before initiating legal or authority proceedings, so that we can investigate and provide a satisfactory remedy, or fulfil any of your requests or claims under the section on information on the rights of the data subject, if they are justified.

The Controller shall, in case of exercising any of your rights in relation to data processing pursuant to the section on information on the rights of the data subject, requesting information on data processing, or objecting to or complaining about data processing, investigate the matter without undue delay and within the time limits provided for by applicable law, take action on the request and provide you with information on the matter. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended as allowed by law.

If you have submitted your request electronically, we will provide the information electronically where possible, unless you request otherwise. If the Controller does not act on your request without delay, but at the latest within the time limit set by law, the Controller will inform you of the reasons for the failure to act or the refusal to act and of the possibility for you to take judicial or other authority proceedings in accordance with the following.

In order to exercise your rights in relation to the processing of your data or if you have any questions or doubts about the processing of your data by the Controller, or if you wish to receive information about your data, lodge a complaint or exercise a right under the section on information on the rights of the data subject, you may do so in writing as a so-called "data subject request" by ordinary mail, or by e-mail via the contact details of the Controller.

Photon Technologies Kft.

Registered seat: 9022 Győr, Liszt Ferenc utca 40.

Phone number: +36707023775

E-mail address: [email protected]

Initiation of an authority procedure

You are entitled to lodge a complaint with a supervisory authority – particularly in the Member State of your residence, place of work, or the alleged infringement – if you believe that the processing of your personal data violates the provisions of the GDPR. Within the EU, you can find contact details for each supervisory (data protection) authorities at: https://edpb.europa.eu/about-edpb/board/members_hu. In Hungary, you can initiate an investigation or authority proceedings at the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa u. 9-11., website: http://naih.hu, mailing address: 1363 Budapest, Pf.: 9.; phone: +36-1-391-1400; fax: +36-1-391-1410; email: [email protected]) to enforce your rights, claiming that your personal data have been processed in violation of your rights or that there is an immediate risk of such a violation, in particular,

• if you believe that the data controller is restricting the exercise of your rights as set out in the section on information on the rights of the data subject or refusing your request to exercise those rights (initiation of an investigation), and
• if you believe that, in the processing of your personal data, the Controller or a data processor appointed or instructed by the Controller breaches the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union (requesting the initiation of authority proceedings).

Initiation of judicial proceedings

You may take judicial action if you consider that the Controller is processing your personal data in breach of the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union. Such proceedings may also be initiated before the courts of the Member State where the data subject has his or her residence. In Hungary, such a lawsuit falls within the competence of the Regional Court. The data subject may also bring the case, at his or her choice, before the competent court of his or her place of residence or domicile. Information on the jurisdiction and contact details of the court (regional court) can be found on the following website: https://birosag.hu/.

SECTION VIII

DATA PROTECTION

The Data Controller undertakes to ensure the securityof the personal data that the Data Controller processes. Taking into account the state of science and technology and the costs of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, the Data Controller shall take technical and organisational measures and establish procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration.

The Data Controller also undertakes to ensure that all third parties to whom the data are transferred or disclosed by any legal basis are required to comply with the data security requirements. The Data Controller ensures that unauthorized individuals cannot access, disclose, transfer, modify, or delete the processed data.

The data processed may only be accessed by the Controller and its employees, or by the controller's processor(s) and recipients, according to the level of authorisation. The Data Controller shall not disclose them to third parties who are not authorised to access the data. Employees of the Data Controller and the Data Processor shall have access to personal data in a specific manner, according to the job titles and levels of access defined by the Data Controller and the Data Processor.

In order to ensure the security of the IT systems, the Data Controller protects the IT systems with a firewall and uses antivirus and anti-virus software to prevent external and internal data loss. The Data Controller has also ensured that incoming and outgoing communications in any form are properly monitored to prevent misuse.

The Data Controller and the Data Processor classify and process personal data as confidential. The Data Controller shall ensure that, in order to protect the electronically processed data files in the various records, the data stored in the records cannot be directly linked and associated with the Data Subject, subject to exceptions provided for by law.

The Controller shall ensure a level of data security appropriate to the level of risk, including, where applicable:

• pseudonymisation and encryption of personal data,
• ensuring the continued confidentiality, integrity, availability and resilience (operational and development security, intrusion protection and detection, prevention of unauthorised access) of the systems and services used to process personal data
• in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a reasonable time (data leak prevention; vulnerability and incident management)
• a procedure to regularly test, assess and evaluate the effectiveness of the technical and organisational measures taken to ensure the security of data processing (business continuity, protection against malicious codes, secured data storage, transfer, processing, security training of employees)

When determining the appropriate level of security, explicit attention should be paid to the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transferred, stored or otherwise processed.

Please note that you can request further detailed information on data security from the Data Controller (e-mail address: [email protected]).

SECTION IX

TRANSFERS OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

1.) Based on the adequacy decision (Article 45 of the GDPR)

Personal data may be transferred to a third country or international organization based on Article 45 of the GDPR if the European Commission has determined in its decision that the third country, or a territory thereof, or one or more sectors within that country, or the relevant international organization provides a level of protection that is essentially equivalent to the EU data protection standards.

Article 45(2) of the GDPR sets out the general criteria that the Commission will take into account when assessing the adequacy of the level of protection. The Commission will periodically and regularly monitor the adequacy of the level of protection in the countries (in a territory, in a sector, in an international organisation) for which the Commission has previously taken an adequacy decision and, if the Commission finds that the adequate level of protection is no longer ensured, it will repeal, amend or suspend the decision.

2) Trans-Atlantic Data Privacy Framework

On 10 July 2023, the European Commission adopted an adequacy decision on the new EU-US Privacy Framework, stating that personal data can be transferred securely from the European Union to US companies participating in the new framework, the US will provide an adequate level of protection for personal data transferred from the EU to participating US companies. As a precondition to joining the Trans-Atlantic Framework Decision, US companies must undertake as data controllers to implement data protection measures that comply with the GDPR.

3) Transfers subject to appropriate safeguards (Article 46 GDPR)

In the absence of an adequacy decision pursuant to Article 45 of the GDPR, a data controller or processor may only transfer personal data to a third country or an international organisation if the data controller or processor has provided so-called appropriate safeguards in relation to the adequacy of the transfer and there are enforceable data subject rights and legal remedies available to the data subjects.

The Data Controller informs you that in the course of the data processing your personal data may be transferred to a third country.

SECTION X

MISCELLANEOUS

No automated decision-making or profiling will take place during the processing of personal data detailed in this Privacy Notice.

The Data Controller reserves the right to unilaterally amend this notice in the future. The current version of the Privacy Notice is available on the Data Controller's website. The Data Subjects will be informed of any amendments via the Controller's website.

Date and place: 17 April 2024, Budapest.

Photon Technologies Limited Liability Company

Represented by: Dániel Károly Csala Managing Director