1. INTRODUCTION

Solarandsolar.hu is a registered domain by Solar&Solar Ltd. pvsolarstore.com and webshop.solarandsolar.hu are subsidiaries of Solar&Solar Trade and Service Company Limited Liability Company

Solar&Solar Trade and Service Company Limited Liability Company�(herein after referred to  as the “data controller”) is subject to the following information.

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation) the following information is provided.

This privacy statement governs the processing of data on the following websites: Solarandsolar.hupvsolarstore.com and webshop.solarandsolar.hu

The privacy policy is available at: https://solarandsolar.hu/privacy-policy/

Amendments to the Prospectus will enter into force upon publication at the above address.

THE DATA CONTROLLER AND ITS CONTACT DETAILS:

Name: Solar&Solar Trade and Service Company Limited Liability Company

Seat: 1122 Budapest, Hajnóczy J. u. 11.

E-mail: w[email protected]

Phone: +36 70 501 6209

2. TERMS DEFINITIONS
  • personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;�
  • processing” means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or blocking;
  • controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or specific criteria for the designation of the controller may also be determined by Union or Member State law;�
  • processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;�
  • recipient” means a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;�
  • data subject’s consent“: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;�
  • data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
3. RULES FOR HANDLING PRIVATE DATA

Personal data:

a) be lawful, fair and transparent for the data subject (“lawfulness, fairness and transparency”);

b) collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purpose in accordance with Article 89(1) (‘purpose limitation’);

c) be adequate, relevant and limited to what is necessary for the purposes for which the data are processed (“data minimisation”);

d) be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay (“accuracy”);

e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the processing of the personal data will be carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures as provided for in this Regulation to safeguard the rights and freedoms of data subjects (‘limited storage’);

f) be carried out in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (“integrity and confidentiality”), by implementing appropriate technical or organisational

The controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).

4. DATA CONTROLLERS

4.1. DATA PROCESSING RELATED TO THE OPERATION OF THE WEBSHOP

4.1.1.�The fact of collection, the scope of the data processed and the purpose of the processing :

Personal data

Purpose of data processing

User name

Identification, enabling of registration.

Password

To have a secure access to a user’s profile.

Surname and first name

To establish contact, for purchases, and to issue a correct form of invoice.

E-mail address

For staying in touch.

Phone number

For staying in contact, a more efficient way to coordinate issues concerning billing, or shipping.

Billing name and address

To issue a correct form of invoice, furthermore, to create a contract, determine, modify its content, to monitor its execution, billing the fees coming from it and enforcing the demands coming from it.�

Delivery name and address

Enabling home delivery.

Date of purchase/registration

Perform a technical operation.

IP address at the time of purchase/registration

Perform a technical operation.

Neither the username nor the e-mail address need to contain personal data.

4.1.2.    Stakeholders :

All users/customers registered in the webshop are concerned.

4.1.3.    Duration of processing:

The accounting documents (including general ledger accounts, analytical or detailed records) directly and indirectly supporting the accounting accounts must be kept for at least 8 years in a legible form, retrievable by reference to the accounting records.

4.1.4.    Deadline for deleting data :

By cancelling your registration immediately. The deletion of any personal data provided by the data subject shall be notified by the controller electronically, in accordance with Article 19 of the GDPR. If the data subject’s request for erasure also includes the e-mail address provided by the data subject, the controller shall erase the e-mail address after being informed. Except in the case of accounting records, since pursuant to Article 169 (2) of Act C of 2000 on Accounting, these data must be kept for 8 years.

4.1.5.    The identity of the potential data controllers entitled to access the data, the recipients of the personal data:

Personal data may be processed by the sales and marketing staff of the controller, in compliance with the above principles.

4.1.6.    Description of data subjects’ rights in relation to data processing:

  • The data subject may request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and
  • object to the processing of such personal data; and
  • the data subject has the right to data portability and the right to withdraw consent at any

4.1.7.      The data subject can initiate access to personal data, their deletion, modification or restriction of processing, data portability, objections to data processing in the following ways:

  • by post to 2400 Dunaújváros, Farkas tanya                �address,
  • by e-mail to info@pvsolarstor com,
  • by phone to +36 70 325 2122.

4.1.8.    Legal basis for processing:

  1. Article 6(1)(b) of the GDPR,
  2. Electronic commerce services and information

Paragraph 13/A (3) of Act CVIII of 2001 on certain issues of social services (hereinafter: Elker tv.): the service provider may process personal data for the purpose of providing the service, which are technically necessary for the provision of the service.

are essential. The service provider must, other things being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only to the extent strictly necessary for the provision of the service and for the fulfilment of the other purposes laid down in this Act, but only to the extent and for the duration necessary.

  1. In the case of invoices issued in accordance with accounting legislation, Article 6(1) of the GDPR c).
  2. In the event of enforcement of claims arising from the contract, Act V of 2013 on the Civil Code 6:22 [Limitation period]
    • Unless otherwise provided by this Act, claims shall be barred after five
    • The limitation period starts to run when the claim becomes
    • The agreement to change the limitation period must be in
  • The agreement excluding the limitation period is null and

4.1.9.   Please note that

  • the processing is necessary for the performance of the
  • You must provide personal information so that we can fulfil your
  • failure to provide the data will result in our inability to process your

 4.2 THE DATA PROCESSORS USED

 4.2.1.�Supplier

4.2.1.1.     Activity performed by a data processor:

Delivery of products, transport

4.2.1.2.    Name of data processor:

companies engaged in the road haulage of goods and having a contractual relationship with the Data Controller.

4.2.1.3.    The fact of processing, the scope of the data processed :

Shipping name, shipping address, phone number, email address.

4.2.1.4.   The scope of what they eat:

All those requesting a home delivery are concerned.

4.2.1.5.    Purpose of the processing:

Delivery of the ordered product to your door.

4.2.1.6.    Duration of data processing, deadline for deletion of data:

It takes until the delivery is completed.

4.2.1.7.    Legal basis for processing:

Article 6(1)(b) GDPR.

4.2.2. Storage -service provider

4.2.2.1.    Activity performed by a data processor:

Hosting service

4.2.2.2.   Name and contact details of the data processor:

Unas Online Korlátolt Felelősségű Társaság 9400 Sopron, Kőszegi út 14.

+36 99 200 200

[email protected]

4.2.2.3.   The processing and the fact and scope of the data processed :

All personal data provided by the data subject are stored in dat.

4.2.2.4.   Stakeholders:

All stakeholders using the website.

4.2.2.5.   Purpose of the processing:

Making the website available and running it properly.

4.2.2.6.   The duration of the processing, the time limit for deleting the data:

The data processing shall continue until the termination of the agreement between the data controller and the hosting provider or until the data subject’s request for deletion to the hosting provider.�

4.2.2.7.   Legal basis for processing:

Article 6(1)(c) and (f) of the GDPR and Article 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.

 4.3. COOKIES

4.3.1Typical cookies for web shops are so-called “password-protected session cookies”, “shopping cart cookies” and “security cookies”, which do not require prior consent from the data

4.3.2.     The fact of processing, the scope of the data processed:

Unique identification number, dates, times

4.3.3.     Stakeholders :

All data subjects visiting the website.

4.3.4.    Purpose of the processing:

Identify users, register the “shopping basket” and track visitors.

4.3.5.     Duration of data processing, deadline for deletion of data:

Type of cookies Data management Legal basis Data Duration Managed data
Session cookies The Act of CVIII of 2001 (Elker Law) 13/A (3) Paragraph about: The electronic commercial services and the issues of information social services The relevant visitors’ session until the closure  period. connect.sid

4.3.6.�The identity of the potential controllers who are entitled to access the data:

By using cookies, no personal data is processed by the data controller.

4.3.7.    Acknowledging the rights of data subjects in relation to data processing:

Data subjects have the possibility to delete cookies in the Tools/Settings menu of their browsers, usually under the Privacy settings.

4.3.8.    The right to data processing page:

The consent of the data subject is not required where the sole purpose of the use of cookies is to provide a communication over an electronic communications network or where the use of cookies is strictly necessary for the provision of an information society service expressly requested by the subscriber or user.

4.4. USE�GOOGLE ADWORDS ADVERTISING

4.4.1 Both on the main domain and the solar webshop the data controller uses the online advertising program “Google AdWords” and makes use of Google’s conversion tracking service within its Google Conversion Tracking is an analytics service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

4.4.2 When you visit a website through a Google ad, a cookie is placed on your computer to track These cookies have a limited validity and do not contain any personal data, so the User cannot be identified by them.

4.4.3. When the User browses certain pages of the website and the cookie has not expired, Google and the data controller may see that the User has clicked on the

4.4.4. Each Google AdWords client receives a different cookie, so they cannot be tracked through AdWords clients’

4.4.5. The information, which is obtained through the use of conversion tracking cookies, is used to provide conversion statistics to AdWords customers who choose to track conversions. Clients are then informed about the number of users who click on their ad and are referred to a page with a conversion tracking tag. However, they do not have access to information that would allow them to identify any

4.4.6. If you do not wish to participate in conversion tracking, you can opt-out by disabling the option to set cookies in your�You will then not be included in the conversion tracking statistics.

4.4.7. More information and Google’s privacy statement can be found at:

https://policies.google.com/privacy?h l=hu

5. COMPLAINTS

5.1. The fact of collection, the scope of the data processed and the purpose of�the processing�:�

Personal data

Purpose of the processing

Surname and first name

Identification, contact.

E-mail address

Staying in touch.

Phone number

Staying in touch.

Billing name and address

Identification, with the products ordered

arising in connection with                             quality

objections, questions and                        Problems Addressing.

5.2.    Stakeholders:

All data subjects concerned who shop on the website of the webshop and complain about quality.�

5.3.    Duration of processing, deadline for deletion of data:

Copies of the record, transcript and the reply to the recorded objection shall be kept for 5 years pursuant to Article 17/A (7) of Act CLV of 1997 on Consumer Protection.�

  • The identity of the potential controllers of the data, the recipients of the personal data�: Personal data may be processed by the sales and marketing staff of the controller, in compliance with the above�

5.5.     Description of data subjects’ rights in relation to data processing :

  • The data subject may request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and
  • may object to the processing of such personal data, unless
  • the data subject has the right to data portability and the right to withdraw consent at any time�

5.6.  Access to, deletion, modification or restriction of processing of personal data, portability of data, protection against unlawful processing of data�the person concerned can initiate an objection in the following ways:

  • bypost to                           1122 Budapest, Hajnóczy u. 11.,
  • bye-mail to                        [email protected] �e-mail address,
  • by phone to                       +36 70 501 6209

5.7.    The data processing claim:

Article 6(1)(c) GDPR and Article 17/A(7) of Act CLV of 1997 on Consumer Protection.

5.8.    Please note that

  • the provision of personal data is based on a contractual
  • the processing of personal data is a precondition for the conclusion of the contract.
  • You are required to provide personal information so that we can handle your
  • failure to provide the data will mean that we will not be able to deal with your
6. CUSTOMER INFORMATION AND OTHER DATA

6.1. If the data subject has any questions or problems when using our services, he or she can contact the  data  controller  by  the  means  indicated  on  the  website  (telephone,  e-mail,  social networking sites, etc.).

6.2. The Data Controller will delete the data provided in e-mails, messages, telephone, Facebook, etc., together with the name and e-mail address of the interested party and other personal data voluntarily provided by the interested party, after a maximum of 2 years from the date of the communication.

6.3. Information about data processing not listed in this notice is provided at the time of collection.�

6.4. In exceptional cases, the Service Provider shall be obliged to provide information, disclose data, hand over data or make documents available upon request of a public authority or other bodies authorised by law.�

6.5. In such cases, the Service Provider shall disclose personal data to the requesting party only to the extent and to the extent strictly necessary for the purpose of the request, provided that the requesting party has indicated the exact purpose and scope of the data.

7. THE RIGHTS OF DATA SUBJECTS

7.1.        Right of access

You have the right to receive feedback from the controller as to whether or not your personal data are being processed and, if such processing is taking place, you have the right to access your personal data and the information listed in the Regulation.

7.2.    The right to rectification

You have the right to have inaccurate personal data relating to you corrected by the controller without undue delay at your request. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

7.3.    The right to erasure

You have the right to have personal data concerning you erased by the controller without undue delay at your request, and the controller is obliged to erase personal data concerning you without undue delay under certain conditions.

7.4.  The right to be forgotten

If the controller has disclosed the personal data and is under an obligation to erase it, the controller shall take reasonable steps, including technical measures, taking into account available technology and the cost of implementation.

– in order to inform the data controllers that you have requested the deletion of the links to or copies or duplicates of the personal data in question.

7.5.    Right to restriction of processing

You have the right to have the controller restrict processing at your request if one of the following conditions is met:

  • You contest the accuracy of the personal data, in which case the limitation applies for the period of time that allows the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you object to the deletion of the data and instead request the restriction of their use;
  • the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
  • you have objected to the processing; in this case, the restriction applies for the period until it is established whether the controller’s legitimate grounds prevail over your legitimate

7.6.    The right to data portability

You have the right to receive personal data relating to you that you have provided to a controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to whom you have provided the personal data.

7.7.    The right to protest

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, including profiling based on the aforementioned processing.

7.8.    Objection in the case of direct acquisition

Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, where it relates to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data may no longer be processed for these purposes.

7.9.    Automated decision-making on individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which would have legal effects concerning you or similarly significantly affect you. The previous paragraph does not apply where the decision:

  • necessary for the conclusion or performance of a contract between you and the controller;
  • is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect your rights and freedoms and legitimate interests; or
  • Based on your explicit consent
8. INSTITUTIONAL DEADLINE

The controller will inform you without undue delay of receipt of the request, but in any event of the request

within1monthofthe date of the request.                  �

following the above requests

If necessary, this period may be extended by 2 months�. The controller will inform you of the extension of the deadline within 1 month of�receipt of the request, stating the reasons for the delay.

If the controller fails to act on your request, it will inform you without delay and at the latest within one month of receipt of the request of the reasons for its failure to act�and of your right to lodge a complaint with a supervisory authority and to seek judicial redress.

9. DATA SECURITY AND SAFETY

The controller and the processor shall implement appropriate technical and organisational measures, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of data security appropriate to the level of risk, including, where appropriate:

a) the pseudonymisation and encryption of personal data;

b) ensuring the confidentiality, integrity, availability and resilience of the systems and services used to process personal data;

c) in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;

d) from data processing security to guarantee security brought to technical and organisational measures to regularly test, assess and evaluate their effectiveness.

10. INFORMING THE DATA SUBJECT OF THE PERSONAL DATA ABOUT BREACHES

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.

The information provided to the data subject shall clearly and prominently�describe the nature of the personal data breach and provide the name and contact details of the data protection officer or other contact person who can provide further information; describe the likely consequences of the personal data breach; describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

The data subject need not be informed if any of the following conditions are met:�

  • the controller has implemented appropriate technical and organisational protection measures�and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible�to persons not authorised to access the personal data;�
  • the controller has taken additional measures following the personal data breach to ensure�that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
  • information would require a disproportionate effort. In such cases the

the data subjects must be informed by means of publicly disclosed information or a similar measure must be taken to ensure that the data subjects are informed in an equally effective manner.

If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed.

11. DATA PROTECTION INCIDENT NOTIFICATION TO THE AUTHORITY

The data controller shall notify a personal data breach to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the personal data breach, unless the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.

12. REVISION IN CASE OF MANDATORY DATA PROCESSING

If the duration of the mandatory processing or the periodic review of its necessity is not specified by law, local government regulation or a binding legal act of the European Union, the controller shall reviewat least every three years from the start of processing, whether the�processing of personal data processed by the controller or by a processor acting on its behalf or under its instructions is necessary�for the purposes of the processing.

The data controller shall document�the circumstances and the results of this review, keep this documentation for ten years after the review�and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as “the Authority”) upon request.

13. COMPLAINT POSSIBILITY

Complaints against possible infringements by the data controller can be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

Adress:                             1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address:                1530 Budapest, PO Box 5.

Telephone:                       +36 -1-391-1400

Fax:                                 +36-1-391-1410

E-mail:                             ugyfelszolgalat@naih.hu

14. AFTERWORD

The following legislation has been taken into account in the preparation of this information:�

  • REGULATION (EU) No 2016/679/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 June 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation) 27 April)
  • Act C XII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Info law.)
  • Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (in particular 13/A)
  • Act XLVII of 2008  on the prohibition of unfair commercial practices against consumers;
  • Act XLVIII of 2008 – on the basic conditions and certain restrictions of economic advertising (in particular 6)
  • Act XC of 2005 on Electronic Freedom of Information
  • Act C of 2003 on Electronic Communications (specifically 155)
  • Opinion 16/2011 on the EASA/IAB Recommendation on best practice in behavioural online advertising
  • Recommendation of the National Authority for Data Protection and Freedom of Information on data protection requirements for prior information