Data Protection and Security Policy of Express Luck Europe Electric Korlátolt Felelősségű Társaság

Effective from January 1, 2024

---

General Provisions

The regulation regarding the protection and security of personal data (hereinafter referred to as the “Regulation”) aims to determine the legal procedure for processing personal data at Express LUCK Europe Electric Korlátolt Felelősségű Társaság (hereinafter referred to as the “Data Controller”) and ensure the application of constitutional principles for data protection and self-determination of data security requirements.

---

Data Controller Details:

• Data Controller: Express LUCK Europe Electric Korlátolt Felelősségű Társaság

• Registered Office: 2310 Szigetszentmiklós, Leshegy út 2, Hungary

• Data Controller Registration Number: 13-09-184069

• Tax Identification Number: 25807938-2-44

• Email Address: adatkezeles@expressluck.hu

• Representative’s Name and Address: Xie Jungang, 1222 Budapest, Bajcsy-Zsilinszky utca 6, Hungary

---

Data Protection Officer Details:

• Data Protection Officer Name: Gu Yang

• Email Address: adatkezeles@expressluck.hu

---

Applicable Laws:

This regulation must be applied in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and the Council (GDPR),

• Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.),

• Sector-specific legal requirements.

---

Scope of the Regulation:

The regulation applies to all employees of the Data Controller and those employed under other legal relationships aiming at work, as well as the Data Protection Officer and all persons who have access to personal data under other legal relationships with the Data Controller.

---

Key Definitions (Based on GDPR)

• Personal Data: Any information relating to an identified or identifiable natural person (data subject).

• Processing: Any operation or set of operations performed on personal data, such as collection, organization, storage, modification, retrieval, consultation, usage, transmission, disclosure, etc.

• Data Subject’s Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data.

• Data Controller: The person, public authority, agency, or other body that determines the purposes and means of processing personal data.

• Processor: A person or entity that processes personal data on behalf of the data controller.

• Recipient: A person or entity to whom personal data is disclosed.

• Supervisory Authority: An independent public authority established in an EU member state.

---

Data Management Guidelines

• Legality, Fairness, and Transparency: Data must be processed legally, fairly, and transparently.

• Purpose Limitation: Personal data should only be collected for specified, legitimate purposes and not processed in a way incompatible with those purposes.

• Data Minimization: Data must be adequate, relevant, and limited to what is necessary for processing.

• Accuracy: Personal data must be accurate and, where necessary, kept up to date.

• Storage Limitation: Personal data should be kept in a form which permits identification of data subjects only for as long as necessary.

• Security: Personal data should be processed securely using appropriate technical and organizational measures.

• Accountability: The data controller is responsible for compliance with these principles and must be able to demonstrate this compliance.

---

Legal Basis for Data Processing

Data processing is lawful if at least one of the following conditions is met:

1. Consent: The data subject has given consent for processing.

2. Contractual necessity: Processing is necessary for the performance of a contract with the data subject.

3. Legal obligation: Processing is necessary to comply with a legal obligation.

4. Vital interests: Processing is necessary to protect the vital interests of the data subject or another person.

5. Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

6. Legitimate interests: Processing is necessary for the legitimate interests pursued by the data controller or a third party, unless overridden by the rights and freedoms of the data subject.

---

Data Subject Rights and Recourse

Right to Information

The data subject has the right to be informed about the processing of their personal data in a concise, transparent, intelligible, and easily accessible form.

Right of Access

The data subject has the right to access their personal data and obtain information about the processing activities, including:

• Purposes of processing

• Categories of data concerned

• Recipients of the data

• Retention period

• Right to rectification, deletion, or restriction of processing

• Right to lodge a complaint with a supervisory authority

Right to Rectification

The data subject can request the correction of inaccurate personal data or the completion of incomplete data.

Right to Erasure (Right to be Forgotten)

The data subject can request the deletion of their personal data when:

• The data is no longer necessary for the purposes for which it was collected.

• The data subject withdraws consent and no other legal basis exists for processing.

• The data subject objects to the processing and there are no overriding legitimate reasons.

• The data has been processed unlawfully.

• The data must be erased to comply with legal obligations.

Right to Restriction of Processing

The data subject can request a limitation of processing under specific conditions, such as disputing the accuracy of the data.

Right to Object

The data subject has the right to object to the processing of their personal data for reasons related to their particular situation, including profiling.

Right to Data Portability

The data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Withdraw Consent

If the processing is based on consent, the data subject can withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

---

Legal and Judicial Recourse

• Complaint: The data subject can file a complaint with the competent supervisory authority or bring an action before a court.

• National Supervisory Authority: The Hungarian National Authority for Data Protection and Freedom of Information (NAIH), or other relevant authorities as per local laws.

---

Data Security Measures

• The Data Controller ensures a closed, complete, and continuous organizational and technical protection system to guarantee the confidentiality, integrity, and availability of personal data.

• Physical Security: Measures include access control systems and the prevention of unauthorized access to personal data.

• Logical Security: Measures to ensure that only authorized persons have access to personal data.

• Administrative Security: Procedures to track access to personal data and prevent unauthorized access.

---

Incident Management

If an employee suspects a data protection incident, they must immediately inform the Data Protection Officer (DPO). The DPO will investigate the incident and assess the potential risks to the data subjects. If necessary, the data subjects will be notified according to the applicable regulations.