The Don't Hurt the Forest Association www.nebantsdazerdot.hu Data Protection Information regarding the handling of personal data of natural persons

Name of the data manager: Ne Bántsd az Erdőt Egyesület Version number: v1.0 This policy is valid until withdrawn, and its scope extends to the organization's officials, employees and the organization's data protection officer.

Valid: from 21.11.2019

CHAPTER 1

General non-specific data management purpose information 1.1 Purpose of the Data Protection Information Ne Bántsd az Erdőt Egyesület, 7838 Vajszló, Durgó tanya Hrsz.: 025 (hereinafter service provider, data controller) as a data controller, recognizes the content of this legal notice as binding on itself. It undertakes to ensure that all data processing related to its activities meets the requirements set out in this Privacy Policy and in current international legislation, as well as in the legal acts of the European Union. The data protection guidelines arising in relation to the data management of Ne Bantsd az Erdőt Egyesület are continuously available at www.nebantsdazerdot.hu/adatvedelem. Ne Bantsd az Erdőt Egyesület reserves the right to change this information at any time. Of course, you will notify your audience of any changes in good time, at the previously provided web address. The Ne Bántsd az Erdőt Egyesület / committed to protecting the personal data of its customers and partners considers it of utmost importance to respect the right of its customers to self-determination of information. Ne Bántsd az Erdőt Egyesület / treats personal data confidentially and takes all security, technical and organizational measures that guarantee data security. 1.2 General information about data management The person identified as a "data controller" for the purposes of data management (who, or who, independently or in the case of multiple data management together with others, determines the purpose of data management, makes and implements decisions regarding data management, or has them implemented with the data processor) (hereinafter: data controller ) handles personal data exclusively for a specific purpose, in order to exercise a right and fulfill an obligation. It meets the purpose of data management at all stages of data management. The data manager processes personal data only to the extent and for the time necessary to achieve the purpose. The data manager records and reports the data managed for different purposes separately (treated as data management) in the data protection register, and provides information about it in the "Data Management Purposes" chapter of the Data Management Information. During data management, the data controller ensures the accuracy, completeness and, if necessary, up-to-dateness of the data in view of the purpose of the data management, and also ensures that the data subject can only be identified for the time necessary for the purpose of the data management. 1.3 General information about data processors The data manager uses data processors to carry out certain data management operations (such as storing data on the hosting provider's server). The rights and obligations of the data processor in relation to the processing of personal data are determined by the data controller. The data processor does not make substantive decisions regarding data management, processes the personal data it comes to know only in accordance with the provisions of the data controller, does not perform data processing for its own purposes, and stores and preserves the personal data in accordance with the provisions of the data controller. The contract for data processing was put in writing by the data controller and data processor(s). The data controller has not been entrusted with data processing by an organization that is interested in using the personal data to be processed in the course of its own business activities. The data controller is responsible for the legality of the instructions given by the data controller. Details regarding the data and activities of the data processors used are indicated in the data management purposes. Note: if you do not use an external data processor, delete this paragraph.

CHAPTER 2

Data of the data controller 2.1 Data of the data controller Name: Ne Bántsd az Erdőt Egyesület Headquarters address: 7838 Vajszló, Durgó tanya Hours: 025 Mailing address: 9027 Győr, Klapka Gy. u.2 Company registration number: Name of the registering court: Pécs Városi Bíróság Tax number: 19164962-02 2.2 DPO - Data Protection Officer contact information If you have any questions for our company, you can contact us at the following address. Our data protection officer is happy to help you. Name of our data protection officer: Franczia-Pallang Zsuzsanna Mailing address: 2 Klapka Gy. u. 9027 Győr. Email address: zsuzsanna.pallang@gmail.com Phone number: +36 70 378 0437

CHAPTER 3

The range of personal data managed, as data management purposes, separately defined number of purposes {Membership registration} 1.) Information of the Data Controller Contact person (name): Franczia-Pallang Zsuzsanna Phone number: +36 70 378 0437 Email address: zsuzsanna.pallang@gmail. com Data controller tax number: 19164962-02 Data controller name: Ne Bantsd az Erdőt Egyesület Type of data controller: Country: Hungary Postal code: 7838 City name: Vajszló Name of public area, type of public area, house number: Durgótanya 025. hrsz. Note: if there is multiple data processing, it is necessary to list the data of the additional data controllers here, and to indicate the data controllers by numbering and separately from each other! 2.) Address or website of actual data management: www.nebantsdazerdot.hu 3.) Purpose of data management: Description of the purpose of data management: Registration of the association's membership and membership procedure a4.) Legal basis for data management: Name of the legal basis for data management: legal obligation 5.) Data processing Contact person name: Telephone number: Email address: Name of data processor: Activity of the data processor related to data management: Country: Postal code: City name: Name of public area, type of public area, house number: Place of data processing (website or address): Data processing technology: 6.) Personal data managed by the data controller data The data concerning the data subjects: Name of personal data The reason why the data controller wants to process it Name Statutory obligation Address Statutory obligation E-mail Member contact. Referral of the affected person Telephone number Contacting the member. It is necessary for the data subject to indicate which personal data and WHY it is absolutely necessary for the data subject to provide it, if the fact that some (or all) data is required ("mandatory") for valid registration, subscription, etc. is indicated on the form requesting the data . Duration of data management: Duration of data management: Until the date of deletion by the data subject, or for the period prescribed by law after the termination of membership. Source of data: Directly from the data subject 7.) Scope of stakeholders: Members of the association who joined as natural persons. 8.) The scope of persons entitled to access the data: Officials of the association and employees involved in administrative activities. In the information, it is necessary to detail who can access the data and in what way. 9.) Infotv. Information on data management following completion of the interest assessment test based on § 6. (5). The data subjects must be informed of the test result in such a way that they can clearly determine on the basis of which legitimate interest the processing of personal data by the data controller without their consent can be considered a proportionate restriction. Note: if you do not have such data management, delete this row of the table. 10.) Data transmission The data processed during data processing for this purpose will be transmitted to the data controllers found under data transmission no. Note: if you do not transfer data to a third party, delete this row of the table. target no. {Inquiry for marketing purposes} 1.) Information of the Data Controller Contact person (name): Zsuzsanna Franczia-Pallang Phone number: +36 70 378 0437 Email address: zsuzsanna.pallang@gmail.com Data Controller tax number: 19164962-02 Data Controller name: Ne Bantsd az Erdőt Egyesület Data controller type: Country: Hungary Postal code: 7838 Town name: Vajszló Name of public area, type of public area, house number: Durgótanya 025. hrsz. Note: if there is multiple data processing, it is necessary to list the data of the additional data controllers here, and to indicate the data controllers by numbering and separately from each other! 2.) Address or website of actual data management: www.nebantsdazerdot.hu 3.) Purpose of data management: Description of the purpose of data management: Registration of the association's membership and membership procedure 4.) Legal basis for data management: Name of the legal basis for data management: consent of the data subject 5.) Data processing Contact person name: Kiss Gyula István Phone number: 06202779388 Email address: kiss.gyula.istvan@gmail.com Name of data processor: Balázs Eszter ev Activity of the data processor related to data management: marketing communication Country: Hungary Postal code: 7370 City name: Sásd Name of public area, type of public area, house number: 8 Kolozsvár u. Fsz.2. Place of data processing (website or address): wix.com Data processing technology: CRM and newsletter system 6.) Personal data managed by the data controller Data concerning the data subjects: Name of the personal data The reason why the data controller wants to process it Name Contact, marketing inquiries County Contact, marketing inquiry City Contact, marketing inquiry E-mail Contact, marketing inquiry Phone number Contact, marketing inquiry It is necessary to indicate which personal data and WHY it is absolutely necessary for the data subject to provide, if this fact is indicated on the form requesting the data that the provision of some (or all) data is required ("mandatory") for valid registration, subscription, etc. Duration of data management: Duration of data management: Until the date of deletion by the data subject. Source of the data: Directly from the data subject 7.) Scope of stakeholders: Our subscribers registered on the website 8.) Scope of persons entitled to access the data: Officials of the association and employees involved in administrative activities. In the information, it is necessary to detail who can access the data and in what way. 9.) Infotv. Information on data management following completion of the interest assessment test based on § 6. (5). The data subjects must be informed of the test result in such a way that they can clearly determine on the basis of which legitimate interest the processing of personal data by the data controller without their consent can be considered a proportionate restriction. Note: if you do not have such data management, delete this row of the table. 10.) Data transmission The data processed during data processing for this purpose will be transmitted to the data controllers found under data transmission no. Note: if you do not transfer data to a third party, delete this row of the table.

CHAPTER 4

Data transmissions Note: if you do not transmit data to a third party, this is covered by III. delete chapter. data transfer No. 1 is the data transfer(s) of purpose No. 1 Type of data transmitted by a third party receiving data, their listing: Name and full address of the recipient of data transfer: Legal basis for data transfer: Name of the legal basis for data transfer: Note: if data processing for the same purpose is transferred to several data processing units, it must be listed here also mark the data of the other data controllers, numbering the data controllers separately from each other! Type of data transferred by the data controller receiving data, their list: Name and full address of the recipient of data transfer: Legal basis for data transfer: Name of the legal basis for data transfer:

CHAPTER 5

Cookies 6.1 The purpose of cookies is to collect information about visitors and remember the individual settings of visitors on their devices, which will be used, e.g. when using online transactions, so you don't have to type them in again; facilitate the use of the website; they provide a quality user experience. In order to provide customized service, a small data package, so-called it places a cookie and reads it back during the next visit. If the browser returns a previously saved cookie, the cookie management service provider has the opportunity to connect the user's current visit with previous ones, but only with regard to its own content. 6.2 Absolutely necessary session cookies The purpose of these cookies is to allow visitors to fully and smoothly browse the Ne Bántsd az Erdőt Egyesület website, use its functions and the services available there. The validity period of this type of cookie lasts until the end of the session (browsing), when the browser is closed, this type of cookie is automatically deleted from the computer or other device used for browsing. 6.3 Cookies placed by third parties (analytics) The Ne Bántsd az Erdőt Egyesület website also uses cookies from Google Analytics as a third party. By using the statistical service Google Analytics, Ne Bantsd az Erdőt Egyesület collects information about how visitors use its website. The data is used for the purpose of developing the website and improving the user experience. These cookies also remain on the visitor's computer or other device used for browsing, in their browser, until they expire, or until the visitor deletes them.

CHAPTER 6

The rights of the data subject

6.1 Right to information Ne Bántsd az Erdőt Egyesület takes appropriate measures in order to provide the data subjects with all the information mentioned in Articles 13 and 14 of the GDPR and Articles 15-22 regarding the processing of personal data. and provide each piece of information according to Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded. The data protection and data management information of the Ne Bántsd az Erdőt Egyesület can be found at the following link: www.nebantsdazerdot.hu/adatvedelem

6.2 The data subject's right to access At the request of the data subject (as any natural person identified or identifiable on the basis of specific personal data) (hereinafter: data subject), the data controller provides information about the data subject's data managed by him or processed by the data processor commissioned by him or at his disposal, source, purpose, legal basis, duration of data processing, name and address of the data processor and activities related to data processing, the circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the legal basis and addressee of the data transfer in case of transmission of the data subject's personal data. In addition to obtaining information through a request addressed to the data controller, the data subject can also obtain information about the data processing affecting his personal data from the data protection register. The data protection register is public, anyone can consult it and make a note of its contents. The data controller shall provide the information within a maximum of one month from the date of submission of the request.

6.3 Right to rectification - You can request the correction of your personal data. Based on the request of the person concerned, the data controller examines the personal data included in the rectification request to see if it really does not correspond to reality. If the personal data does not correspond to the reality, and the personal data corresponding to the reality is available to the data controller, the personal data will be corrected by the data controller. The data controller shall mark the personal data it manages if the data subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.

6.4 Right to erasure - You can request the erasure of your personal data, except for mandatory data management. Based on the data subject's request, the data controller will delete or block the personal data included in the request. When deleting the data, the data manager makes the personal data unrecognizable in such a way that its recovery is no longer possible. If one of the following reasons exists, the data subject has the right to request that the data controller delete the personal data concerning him/her without undue delay; the personal data are no longer needed for the purpose for which they were collected or otherwise processed; the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management; the data subject objects to data processing and there is no overriding legal reason for data processing; personal data has been processed unlawfully; the personal data must be deleted in order to fulfill the legal obligation prescribed by the EU or Member State law applicable to the data controller; the collection of personal data took place in connection with the offering of services related to the information society. In addition to data deletion based on the data subject's request, the data controller deletes the personal data if a) its processing is illegal; it is incomplete or incorrect and this condition cannot be legally remedied, provided that the deletion is not precluded by law; the purpose of the data management has ceased, or the statutory period for data storage has expired; it was ordered by the court or the Authority. Data deletion cannot be initiated if data management is necessary: for the purpose of exercising the right to freedom of expression and information; for the purpose of fulfilling the obligation under the EU or Member State law applicable to the data controller requiring the processing of personal data, or for the execution of a task performed in the public interest or in the context of the exercise of public authority conferred on the data controller; affecting the field of public health, or for archival, scientific and historical research purposes or for statistical purposes, on the basis of public interest; or to submit, assert or defend legal claims. The Data Controller shall delete the personal data immediately, but no later than within 30 days. The data controller notifies the data subject of the deletion, as well as all those to whom the data was previously transmitted for the purpose of data management. The notification can be omitted if this does not harm the legitimate interests of the data subject in view of the purpose of the data management. If the data controller does not comply with the data subject's request for rectification, blocking or deletion, within 30 days of receiving the request, it shall communicate the factual and legal reasons for rejecting the request for correction, blocking or deletion in writing or with the consent of the data subject electronically. Note: if you do not forward data to a third party, delete the text highlighted here in green.

6.5 The right to limit data processing - The data subject may request the restriction of his personal data, except for mandatory data processing. The data controller blocks the personal data instead of deleting them, if the data subject requests this, or if, based on the available information, it can be assumed that the deletion would harm the legitimate interests of the data subject. The personal data locked in this way can only be processed as long as the data management purpose that precluded the deletion of the personal data exists. During the blocking of the data, the data controller provides the personal data with an identification mark for the purpose of limiting its further processing permanently or for a specified period of time. The data controller restricts data processing if one of the following conditions is met: the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period that allows the accuracy of the personal data to be checked; the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use; the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; or the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject. If data management is subject to restrictions, personal data may only be processed with the consent of the data subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a member state. The Data Controller shall block the personal data immediately, but within 30 days at the latest. The data manager notifies the data subject and all those to whom the data was previously transmitted for the purpose of data management about the blocking. The notification can be omitted if this does not harm the legitimate interests of the data subject in view of the purpose of the data management. If the data controller does not comply with the data subject's request for rectification, blocking or deletion, within 30 days of receiving the request, it shall communicate the factual and legal reasons for rejecting the request for correction, blocking or deletion in writing or with the consent of the data subject electronically. Note: if you do not forward data to a third party, delete the text highlighted here in green.

6.6 Right to data portability The data subject has the right to receive the personal data concerning him/her provided to the data controller in a segmented, widely used, machine-readable format, and to transmit this data to another data controller.

6.7 Automated decision-making in individual cases, including profiling In the case of a decision made with automated data processing, you can request information from the data controller and explain your position. to express his position. Note: if you don't have an automatic data processing process that involves some kind of decision-making (e.g. profiling solutions), delete the texts highlighted in gray at the top and bottom. You can submit a request to the data controller or express your position regarding automatic data processing at any of the following contacts:

For postal correspondence: 2 Klapka Gy. u. 9027 Győr.

Email address: zsuzsanna.pallang@gmail.com

 

Information is provided free of charge if the person requesting information has not yet submitted an information request to the data controller for the same data set in the current year. In other cases, reimbursement may be established. The amount of reimbursement can also be fixed in the contract between the parties. The compensation already paid must be refunded if the data was handled unlawfully or the request for information led to a correction. The data controller informs the data subject in writing about the subject of the request or about the rejection of the request as soon as possible, but no later than 15 days after the submission of the request.

6.8 Right to object - You can object to the processing of your personal data The data subject can object to the processing of your personal data in the form of a statement in the following cases: if the processing or transmission of personal data is necessary solely to fulfill a legal obligation of the data controller or to assert the legitimate interests of the data controller, data receiver or third party, except in the case of mandatory data management, if personal data is used or forwarded for the purpose of direct business acquisition, public opinion polls or scientific research. A protest statement is a statement in which the data subject objects to the processing of his or her personal data and requests the termination of data processing or the deletion of the processed data. The data controller examines the objection as soon as possible, but no later than 15 days after the submission of the application, makes a decision on its validity, and informs the applicant of his decision in writing. If the data controller determines that the data subject's protest is well-founded, it will terminate the data management, including further data collection and transmission, and block the data, as well as notify all those to whom the personal data affected by the protest was previously transmitted, about the protest and the measures taken based on it. are obliged to take measures to enforce the right to protest. The data controller cannot delete the data subject's data if the data processing is ordered by law. However, the data cannot be forwarded to the data recipient if the data controller has agreed to the objection or the court has established the legitimacy of the objection. Note: if you do not transfer data to a third party, delete the sections highlighted in green.

6.9 Right of withdrawal The data subject has the right to withdraw his consent at any time.

CHAPTER 7

The data subject's legal enforcement options

7.1 File your complaint with the data controller in the first instance If you, as a data subject, believe that the data controller has violated your privacy rights by illegally handling your personal data or violating data security requirements, we recommend that you file your complaint with the data controller in the first instance. The data controller will receive your complaint at the following contact details:

For postal correspondence: 2 Klapka Gy. u. 9027 Győr.

Phone: +36 70 3780437

Email address: zsuzsanna.pallang@gmail.com

The data controller shall respond in writing to the complaints received as soon as possible, but no later than 15 days after the submission of the request. If you do not receive a response from the data controller within this deadline, or if the response is received but you do not agree with it, you can contact the authority dealing with data management.

7.2 Contact the Authority as a second step. In the event that you have already contacted the data controller with your complaint regarding the handling of your personal data, but they have not responded to you within the legally defined period, or have responded but you do not agree with their response, you may file a complaint with the National Data Protection and Freedom of Information Authority (NAIH). NAIH contact information:

Name: National Data Protection and Freedom of Information Authority

Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, Pf.: 5.

Phone: 0613911400 Fax: 0613911410

7.3 Go to court as a last resort The affected data recipient may go to court against the data controller: in the event of a violation of their rights, and if the data subject does not agree with the data controller's decision based on the objection request, or if the data controller misses the deadline of no more than 15 days from the submission of the objection request (within 30 days from the announcement of the decision or the last day of the deadline), if the request for correction, deletion or blocking is rejected (after 25 days after receipt of the request), if, the data controller is the data controller of the request for correction, blocking or deletion factual and legal reasons for rejecting a request are not accepted if the data controller refuses the data controller's request for the data it manages or processes by the data processor commissioned by it or at its disposal, its source, the purpose, legal basis, duration of the data processing, the name and address of the data processor and data management s, the circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the legal basis and recipient of the data transmission in the case of transmission of the data subject's personal data, you can apply to the court. During the lawsuit, the data controller is obliged to prove that the data management complies with the provisions of the law. At the choice of the data subject, the lawsuit can also be initiated before the court of the data subject's place of residence or residence. The Authority can intervene in the lawsuit in order to win the case for the person concerned.

CHAPTER 8

Data protection 8.1 Data protection incident A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled. In the absence of appropriate and timely measures, a data protection incident can cause physical, financial or non-financial damage to natural persons, including the loss of control over their personal data or the restriction of their rights, discrimination, identity theft or identity abuse. The data protection incident must be reported to the competent supervisory authority without undue delay, at the latest within 72 hours, unless it can be proven in accordance with the principle of accountability that the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. The affected person must be informed without delay if the data protection incident is likely to involve a high risk to the rights and freedom of the natural person, so that he can take the necessary precautions. 9.2 General data protection regulations The data controller has planned and implements the data management operations in such a way that Info tv. and during the application of other rules regarding data management, ensures the protection of the privacy of the data subjects, as follows: The data manager (or the data processor entrusted by him) ensures the security of the data, and also takes the technical and organizational measures and established the procedural rules that Infotv. , as well as are necessary to enforce other data and confidentiality rules. The data controller has taken appropriate measures, in particular, against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, as well as inaccessibility resulting from changes in the technology used. In order to protect the data files managed electronically in the various registers, it ensures with a suitable technical solution that the data stored in the registers are not directly linked and assigned to the data subject. During the automated processing of personal data, the data controller and the data processor shall take additional measures to ensure ■ the prevention of unauthorized data entry; ■ the prevention of the use of automatic data processing systems by unauthorized persons using data transmission equipment; ■ the verifiability and ascertainability of which personal data is used by the use of data transmission equipment transmitted or may be transmitted to bodies; ■ the verifiability and ascertainability of which personal data was entered into the automatic data processing systems, when and by whom; ■ the restoreability of the installed systems in the event of a malfunction and ■ that a report is prepared on errors occurring during automated processing. Note: if there is no automatic data processing, delete the parts highlighted in orange. ● The data controller and the data processor(s) take into account the state of the art when determining and applying measures for data security. Among several possible data management solutions, the one that ensures a higher level of protection of personal data was chosen, except in cases where this represents a disproportionate difficulty for the data manager or the data processor. Note: if you do not use an external data processor, delete the section highlighted in purple.

CHAPTER 9

Other provisions We provide information about data management not listed in this information when the data is collected. We inform our customers that the court, the prosecutor, the investigative authority, the infringement authority, the public administrative authority, the National Data Protection and Freedom of Information Authority, the Hungarian National Bank, or other bodies based on the authorization of the law, provide information, communicate data, transfer documents, or they can contact the data controller to make it available. The <Name of your Company / Company>. to the authorities - if the authority has indicated the exact purpose and the scope of the data - personal data will be released only to the extent and to the extent that is absolutely necessary to achieve the purpose of the request.

CHAPTER 10

Data protection minor (definitions) GDPR (General Data Protection Regulation) the new Data Protection Regulation of the European Union data subject: any natural person identified or directly or indirectly identifiable on the basis of personal data; personal data: data that can be associated with the data subject, in particular the data subject's name, identifier sign, as well as knowledge characteristic of one or more physical, physiological, mental, economic, cultural or social identities, as well as the conclusion about the data subject that can be drawn from the data; consent: the voluntary and definite expression of the wishes of the data subject, which is based on adequate information, and with which his unequivocal consent for the processing of the personal data concerning him/her in full or covering certain operations; protest: the statement of the data subject objecting to the processing of his/her personal data and requesting the termination of the data processing or the deletion of the processed data; data controller: the natural or a legal person or an organization without legal personality who, or which determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or has them implemented by the data processor it has commissioned; data management: regardless of the procedure used, the data any operation performed or the set of operations, including, for example, collection, recording, recording, organization, storage, alteration, use, transmission, disclosure, coordination or connection, blocking, deletion and destruction, as well as the prevention of further use of the data. The taking of a photograph, sound or image recording, as well as the recording of physical characteristics suitable for identifying the person (e.g. finger or palm print, DNA sample, iris image) are considered data management; data transfer: if the data is made accessible to a specific third party; data deletion: making the data unrecognizable in such a way that their restoration is no longer possible; data blocking: making it impossible to transmit, learn, disclose, transform, change, destroy, delete, connect or coordinate and use data permanently or for a specified period of time; data processing: performing technical tasks related to data management operations , regardless of the method and tool used to perform the operations, as well as the place of application; data processor: the natural or legal person or organization without legal personality, who or which the data controller entrusts processes personal data, including the assignment based on the provisions of the law; third party: a natural or legal person, or an organization without legal personality, which is or is not the same as the data subject, the data controller or the data processor; data protection incident: personal data unlawful handling or processing, including in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage; data security: organizational, technical measures against unauthorized handling of personal data, including in particular acquisition, processing, alteration and destruction a set of solutions and procedural rules; the state of data management in which the risk factors and thus the threat are reduced to a minimum by organizational, technical solutions and measures;