Datenschutz-Bestimmungen
Fürdő Játékház Kft., as a data controller (“Data Controller”), collects and processes personal data during the operation of the http//funcity.hu website (“Website”). By publishing this information, the Data Controller intends to ensure that data subjects receive comprehensive information about the purposes, methods, principles of data processing and the security measures applied, primarily so that data subjects can make an informed decision about using the services available on the website and about giving consent to data processing. In order to achieve the above-described objectives, we provide the following information in compliance with our obligation under Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (“Regulation”).
(1) Definition of the Data Controller
The controller of the personal data defined below is:
Fürdő Játéház Kft.
registered office: 9740 Bük, Termál körút 49. A. building
mailing address: 9740 Bük, Termál körút 49. A. building
company registration number: 18-09-116498
tax number: 27072785-2-18,
e-mail address: info@funcity.hu
telephone number: +36 30 640 2091
(2) Contact person
The Data Controller does not have a data protection officer. In data protection matters, Fürdő Játéház Kft. can be contacted directly at the above contact details.
(3) Principles observed when processing personal data
The Data Controller processes personal data lawfully and fairly, in a manner that is transparent to the data subject (“lawfulness, fair procedure and transparency”).
The Controller shall only collect personal data for specified, explicit and legitimate purposes and shall not process them in a manner incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purpose in accordance with Article 89(1) of the Regulation (“purpose limitation”).
The Controller shall only process data that is strictly necessary for the purposes of the processing (“data economy”).
The Controller shall ensure that the personal data processed are accurate and up-to-date and shall take all reasonable steps to ensure that personal data that are inaccurate, having regard to the purposes of the processing, are erased or rectified without delay (“accuracy”).
The Data Controller shall process the personal data under its control only for the period necessary for the fulfilment of the purpose of the processing (“limited storage”)
The Data Controller shall ensure the security of the personal data by applying appropriate technical and organisational measures, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (“integrity and confidentiality”).
The Data Controller shall be responsible for compliance with the above and shall be able to demonstrate such compliance (“accountability”).
(4) General rules for data processing
1. The Data Controller shall process personal data only in accordance with the rules set out in the Regulation (Article 6(1) of the Regulation):
a) if the data subject has given consent to the processing of his or her personal data for one or more specific purposes (voluntary consent);
b) if the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract (performance of a contract);
c) if the data processing is necessary for the fulfillment of a legal obligation to which the Data Controller is subject (legal obligation);
d) if the data processing is necessary for the exercise of the legitimate interests of the Data Controller or a third party (legitimate interest).
2. In the case of data processing based on voluntary consent, the data subjects may withdraw their consent at any stage of the data processing.
3. In cases where the processing of the personal data provided, including the transmission of data, is mandatory by law, the Data Controller shall separately notify the data subject thereof.
(5) Definition of personal data processed by the Data Controller and data processing
| 1. Name of data processing | Data processing related to the operation of the Website |
| Purpose of data processing | Operation of the Website and provision of services available on the Website to users. |
| Stakeholders | (i) IP identical (ii) Cookie IDs:- Mobile Advertising ID – a technical identifier in the Mobile Application Environment, e.g. on smartphone operating systems,- other data collected about users’ interaction with advertisements and digital interfaces (websites, mobile applications): the type of browser used by the user and its settings; information about the operating system of the user’s device; cookie IDs and other identifiers defined for the device; IP addresses; information about the user’s interaction and activity with websites and mobile applications, including the time of the interaction or activity, the specific Internet address and the search terms entered in the browser; information about the approximate geographical location of the device (city, region, postal code) obtained from the decomposed IP address information or GPS data when accessing the website or mobile application. |
| Special category data | – |
| Data storage | On the servers of Dotroll Kft. (registered office: 1148 Budapest, Fogarasi út 3-5., e-mail: support@dotroll.hu ), which provides hosting services on an assignment basis. |
| Duration of data processing | In the case of cookies and IP identifiers, as stated in the cookie information, in the case of registration-related data, until the registration is deleted, but no more than 18 months after the last activity – detailed in the cookie information. |
| Access to data | Employees involved in the operation of the Website. |
| Recipients of data transfer | The data processor involved in the operation of the Website on the basis of a contract – Dotroll Kft. (registered office: 1148 Budapest, Fogarasi út 3-5., e-mail: support@dotroll.hu ) as a hosting service provider. |
| Description of the technical and organizational measures applied to ensure the security of data processing | The necessary and appropriate, complex level of information security is ensured by the following measures in terms of confidentiality, integrity and availability (i) complex administrative and technical protection measures (internal data protection regulations, other mandatory regulations also affecting data processing (ii) regular monitoring of data processing processes and continuous customization of protection measures based on continuous risk analysis, as well as a data processing contract providing appropriate guarantees for data processors (iii) personal security measures (iv) information and education of those involved in data processing, raising awareness of the need for data protection |
| Possible consequences of failure to provide data | Incomplete availability of the Website’s services, inaccuracy of analytical measurements. |
| 2. Name of data processing | Newsletter |
| Purpose of data processing | Regularly informing the recipient (subscribed data subject) about the Data Controller’s latest promotions, events, and news is essentially regular advertising. |
| Legal basis for data processing | Voluntary consent /GDPR Article 6 (1) a) and Advertising Act Section 6 (1) para./. Every natural person who wishes to be regularly informed about the Data Controller’s news, promotions and discounts, therefore subscribes to the newsletter service by providing their personal data. |
| Stakeholders | (i) name – for identification purposes (ii) email address – for identification and sending newsletters (iii) technical data: date of subscription and unsubscription – for later proof |
| Special category data | – |
| Data storage | On the servers of Dotroll Kft. (Head office: 1148 Budapest, Fogarasi út 3-5., e-mail: support@dotroll.hu ), which provides hosting services on an assignment basis. |
| Duration of data processing | In an active (dispatching) newsletter database: the data will be deleted until the data subject unsubscribes, or if the Data Controller requests confirmation of consent, upon expiry of the deadline for providing confirmation. |
| Access to data | (i) Rocket Science Group LLC. (https://www.mailchimp.com ), as a data processor for sending newsletters and automated management of unsubscribes. |
| Recipients of data transfer | Basically, it does not happen, it can only happen to authorities or courts if necessary. |
| Description of the technical and organizational measures applied to ensure the security of data processing | The necessary and appropriate, complex level of information security is ensured by the following measures in terms of confidentiality, integrity and availability (i) complex administrative and technical protection measures (internal data protection regulations, other mandatory regulations also affecting data processing (ii) regular monitoring of data processing processes and continuous customization of protection measures based on continuous risk analysis, as well as a data processing contract providing appropriate guarantees for data processors (iii) personal security measures (iv) information and education of those involved in data processing, raising awareness of the need for data protection. |
| Description of the technical and organizational measures applied to ensure the security of data processing | Providing data is an essential condition for sending the newsletter, otherwise sending is not possible. |
In addition, we inform you that in order to improve browsing efficiency, improve user experience and ensure smooth operation, we use meta data, i.e. small text files, so-called cookies. You can view our cookie policy on the following page: https://funcity.hu/cookietajekoztato
1. The Data Controller’s IT systems and other data storage locations are located at its headquarters and at its data processors.
2. The Data Controller selects and operates the IT tools used to process personal data during the provision of the service in such a way that the processed data is accessible to those authorized to do so (availability); its authenticity and authentication are ensured (authenticity of data processing); its unalterability can be verified (data integrity) and it is protected against unauthorized access (data confidentiality).
3. The Data Controller protects personal data with complex administrative and technical protection measures (IT security regulations, internal data protection regulations, other mandatory regulations affecting data management), in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, and inaccessibility resulting from changes in the technology used.
4. The Data Controller manages the data files managed electronically in its various registers in such a way that the stored data – except where permitted by law – cannot be directly linked and assigned to the data subject.
5. The Data Controller shall ensure the security of data processing by means of technical, organizational and organisational measures, taking into account the current state of technology, which provide a level of protection appropriate to the risks associated with data processing, ensuring (i) confidentiality: (protects the information so that only those who are authorized to do so can access it), (ii) integrity (protects the accuracy and completeness of the information and the processing method), (iii) availability (ensures that when the authorized user needs it, he can actually access the desired information and that the related tools are available).
6. The Data Controller’s IT system and network are both protected against computer-aided viruses, computer intrusions and other attacks. The operator ensures security with server-level and application-level protection procedures. Its data processors undertake to continuously maintain these technical conditions in the data processing contracts concluded with the Data Controller.
(6) Rights of data subjects
1. The data subject may request information about the processing of his/her personal data, as well as request the correction of his/her personal data, or – with the exception of mandatory data processing – the deletion, withdrawal, exercise his/her right to data portability and objection in the manner indicated when recording the data, or at the contact details of the Data Controller stated in Chapters (1) and (2) of this Data Processing Notice. Changes in personal data or the request for the deletion of personal data may be communicated by means of a written statement expressed in a private document with full probative value sent to the registered e-mail address or by post. Certain personal data may also be modified by modifying the page containing the personal profile.
2. Right to information: The Data Controller shall take appropriate measures to ensure that data subjects are provided with all information regarding the processing of personal data referred to in Articles 13 and 14 of the Regulation and in Articles 15–22. and provide each information pursuant to Article 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language. The right to information may be exercised in writing at the contact details provided in Chapter I of this Data Protection Notice or by sending it to the Data Controller’s executive officer. Upon request, the data subject may also be provided with information orally, after verification of his or her identity.
3. Right of access of the data subject: The data subject shall have the right to obtain from the data controller information on whether or not his or her personal data are being processed and, where such processing is being carried out, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom or to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; (iv) the planned period for which the personal data will be stored; (v) the right to rectification, erasure or restriction of processing and to object; (vi) the right to lodge a complaint with a supervisory authority; (vii) information on the sources of the data; (viii) the fact of automated decision-making, including profiling, as well as intelligible information on the logic involved and the significance of such processing and the foreseeable consequences for the data subject. A request for information sent by e-mail – unless the data subject identifies himself/herself in a credit-related way – shall only be considered authentic by the Data Controller if it is sent from the user’s registered e-mail address. The request for information shall be sent by e-mail to the executive. In the event of the transfer of personal data to a third country or an international organisation, the data subject shall also have the right to receive information on the appropriate guarantees for the transfer.
4. The Data Controller shall provide the data subject with a copy of the personal data subject to the processing. For additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Data Controller shall provide the information in electronic form. The Data Controller shall provide the information within one month of the submission of the request.
5. Right to rectification: The data subject may request the rectification of inaccurate personal data concerning him or her processed by the Data Controller and the completion of incomplete data. If the personal data are inaccurate and the personal data corresponding to the reality are at the disposal of the Data Controller, the Data Controller shall rectify the personal data.
6. Right to erasure: The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing; (iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; (iv) the personal data have been processed unlawfully; (v) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the Controller is subject; (vi) the personal data were collected in connection with the provision of information society services. The erasure of data may not be requested if the processing is necessary for one of the following reasons: for compliance with an obligation under Union or Member State law to which the Controller is subject to which the personal data are subject, or for the establishment, exercise or defence of legal claims by the Controller.
7. Right to restriction of processing: At the request of the data subject, the Data Controller shall restrict the processing of the data where one of the following conditions is met: (i) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the accuracy of the personal data to be verified; (ii) the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead; (iii) the Data Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the Data Controller override those of the data subject. If processing is subject to restriction, personal data may only be processed with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person. The Data Controller shall inform the data subject in advance of the lifting of the restriction on data processing.
8. Right to data portability: The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and to transmit these data to another data controller.
9. Right to object: The data subject has the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. In the event of an objection, the controller shall no longer process the personal data unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where such processing is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for such purposes.
10. Right to withdrawal: The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
11. The Controller shall inform the data subject without undue delay, and in any event within one month of receipt of the request, of the measures taken in response to the request pursuant to Articles 15 to 22 of the Regulation.
11.1. Where necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay. If the data subject submitted the request electronically, the information shall be provided electronically, unless the data subject otherwise requests.
11.2. If the Data Controller does not take action on the data subject’s request, it shall inform the data subject without delay, but no later than one month from the date of receipt of the request, of the reasons for not taking action and of the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
11.3. The Company shall provide the requested information and communication free of charge. If the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller may charge a reasonable fee, taking into account the administrative costs of providing the requested information or communication or taking the requested action, or may refuse to take action on the request.
11.4. The Company shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of processing carried out by it, unless this proves impossible or involves a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.
11.5. The Company shall provide the data subject with a copy of the personal data subject to data processing. For additional copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in electronic format, unless the data subject requests otherwise.
12. Compensation and damages: Any person who has suffered material or non-material damage as a result of a breach of the Regulation shall be entitled to compensation from the Controller or the processor for the damage suffered. The processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations expressly imposed on data processors by law, or if it has disregarded or acted contrary to the lawful instructions of the Controller. If several controllers or processors or both controllers and processors are involved in the same data processing and are liable for damage caused by data processing, each controller or processor shall be jointly and severally liable for the entire damage. The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
(7) Legal remedies:
1. The data subject may directly contact the Data Controller with their questions or comments at the contact details specified in chapter (2) of this Data Protection Notice.
2. Right to appeal to court: the data subject may appeal to court against the Data Controller in the event of a violation of their rights. The court shall proceed with the case ex officio.
3. If, in your opinion, we have not responded to your requests or comments, or have not responded in an appropriate manner or in an appropriate manner, you have the right to lodge a complaint with the competent supervisory authority.
National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
The Data Controller is committed to implementing the principles of lawful, transparent and fair data processing, therefore, in situations deemed to be harmful, we take immediate action to clarify the issues raised and to remedy the harm identified, and to inform you of the findings and the measures taken, and if you contact the Data Controller with a question regarding data processing, we will inform you within a maximum of 15 days of contacting us.
Budapest, 1st. December 2025.