White Whale Creative Kft., as controller (hereinafter: the “Controller”, “we”), in this Privacy Notice (hereinafter: the “Notice”), informs data subjects (hereinafter: the “Data Subjects”, “you”, plural “you all”) in a clear and intelligible form about:
how we collect, for what purposes we use, and according to what principles and rules we process your personal data,
which personal data are processed in the course of producing advertising content, providing our advertising services (together, the “Services”), and when you use our Website,
the circumstances under which we may disclose your personal data to others, and
the rights you may exercise in relation to the processing of your personal data.
As Controller, we reserve the right to unilaterally amend this Notice at any time. We shall provide information on any material amendments to the Notice on our Website and in our newsletter.
I. WHO IS RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA?
We determine the purposes and means of processing; accordingly, as controller we are responsible for ensuring that, when processing your personal data, we act in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and the applicable legislation.
Controller’s name: White Whale Creative Kft.
Registered office: 1071 Budapest, Bethlen Gábor utca 43. 1. em. 7. ajtó
Tax number: 32460692-2-42
Company registration number: 01-09-425269
E-mail address: hello@whitewhalecreative.com
II. DEFINITIONS
For the interpretation of this Notice, knowledge of the basic concepts of data protection is indispensable. The definitions are set out in Article 4 of the GDPR, from which we highlight the following:
“personal data”: any information relating to an identified or—by anyone—identifiable natural person (“data subject”);
“identifiable”: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“special category data”: any data falling within the special categories of personal data, that is, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and personal data concerning a natural person’s sex life or sexual orientation;
“processing”: any operation or set of operations performed on personal data;
“processing operations”: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
“disclosure to the public”: making the data available to anyone;
“erasure of data”: rendering the data unrecognisable in such a manner that their restoration is no longer possible;
“filing system”: any structured set of personal data—whether centralised, decentralised, or arranged according to functional or geographical criteria—which is accessible according to specific criteria;
“restriction of processing”: the marking of stored personal data with the aim of limiting their future processing;
“profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“pseudonymisation”: the processing of personal data in such a manner that, without the use of additional information, the personal data can no longer be determined to relate to a specific natural person, provided that such additional information is kept separately and technical and organisational measures are in place to ensure that this personal data is not attributed to an identified or identifiable natural person;
“controller”: the person who, alone or jointly with others, determines the purposes and means of the processing;
“processor”: the person who processes personal data on behalf of the controller;
“data subject”: any identified or—directly or indirectly—identifiable natural person on the basis of personal data;
“recipient”: the person to whom the personal data are disclosed (irrespective of whether they are a third party);
“third party”: any person other than the data subject, the controller, the processors or persons authorised to process personal data under their direct authority;
“consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
III. WHAT PERSONAL DATA DO WE PROCESS?
Depending on how you use our Website, and on what information you share with us when you express interest in, or make use of, our Services, we may collect the following personal data from you:
a. name (surname and/or given name)
b. e-mail address
c. residential address and/or billing address (country, city, postcode, house number)
d. tax number (only if an invoice is requested)
e. telephone number (business or personal)
f. photograph
g. audio recording
h. video recording
i. username
j. password provided during registration
k. any other personal information you share with us when completing a contact form
l. the personal information and your opinions that you share with us when completing a test or research survey, and when recommending our service on the Website
m. IP address, password, log-in data (e.g. time of registration), cookies and other technical information from which we can learn how you use our Website
n. geolocation data indicating where you live or work, or from where you access our Website
o. position (job title) and the name of your employer
p. the personal information you provide in the course of complaint handling.
IV. FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA?
a. You may make enquiries about our Services by completing the contact form.
b. If you subscribe, we shall provide you with a regular newsletter service for the purpose of sending information content and direct marketing messages relating to our Services.
c. With your explicit consent, we may display your testimonial, including your name and photograph, on our Website.
d. In accordance with the principle of accountability and for the purpose of ensuring technical and security requirements, we automatically log—on the basis of legitimate interest—the technical data and conversion events generated by users of the Website in the course of using the Services.
e. We use the contact details of the contact persons of our business partners in connection with the conclusion, performance and termination of contracts, for the purpose of recommending additional Services related to the Services used, and for the fulfilment of accounting obligations.
f. In the course of our content production activities, we process the personal data of actors, extras, and other participants featured in advertising films, behind-the-scenes films, and other audiovisual media content (social media videos, films), as well as in photography and audio recordings.
g. We maintain a casting database containing the personal data of individuals who have applied as actors or extras and who have expressly consented to being included in the casting database.
h. We process the personal data of individuals designated as contact persons for the purpose of concluding, performing, amending, and terminating contracts.
i. We process the data of our business partners, and of their representatives or employees participating in our professional or marketing events, for the purpose of identification, and to document the events and the history of our company.
j. In the event of a complaint, we require your personal data for identification and communication purposes in order to conduct the complaints procedure.
The personal data collected through the use of cookies and social media pixels are used for the following purposes:
We use cookies to operate the Website, to facilitate and secure its use, to monitor and analyse user activity on the Website, and to display relevant advertisements. Most cookies cannot be used to identify you without further information; however, in certain cases a cookie may contain a cookie identifier that allows individual identification. Details are provided in our Cookie Notice. Social media pixels, which are software codes, enable the automated collection, transmission, and evaluation of your personal data by the social media service provider when you visit the Website, for the purpose of displaying relevant advertisements and performing remarketing activities. We cannot link these data to your identity; however, identification by third parties may be possible by means of a unique identifier. Further details are likewise provided in the Cookie Notice.
V. ON WHAT LEGAL BASIS DO WE PROCESS YOUR PERSONAL DATA?
As all processing activities carried out by the Controller fall within the scope of the GDPR, the processing of personal data shall be lawful only where and to the extent that one of the legal bases listed in Article 6 of the GDPR applies to the processing. Selecting the appropriate legal basis is essential not only because processing without such a basis would be unlawful, but also because the rights of the Data Subject differ depending on the applicable legal basis.
We request your consent for the following: to receive our newsletter service; to process your contact details provided through the contact form; to display your opinion or testimonial on our Website; to process your data in our casting database; to use cookies and social media pixels (consent is requested at each point of data provision, with specific reference to the information forming the basis of consent); and, as a business partner, for data processing related to camera surveillance.
Consent is also deemed to be given where you tick a checkbox to that effect when using our Website.
In other cases, the processing of your personal data is based on the following legal grounds:
the processing of your personal data is necessary for the performance of a contract concluded with you;
we are legally obliged to process your personal data;our company has a legitimate interest, established by means of a balancing test, which justifies the processing.
Apart from processing based on the Data Subject’s consent, the Controller processes personal data on any of the above legal bases only if it can demonstrate that such processing is indeed necessary.
Where processing is based on the legitimate interest of the Controller or of a third party, personal data shall be processed only if, on the basis of a prior balancing test, it can be demonstrated that the Controller’s or third party’s interest prevails over the Data Subject’s interest. To establish the existence of a legitimate interest, the Controller shall in each case carefully examine whether, at the time and in the context of the collection of the personal data, the Data Subject could reasonably expect that processing would take place for the given purpose.
VI. DETAILED INFORMATION RELATING TO SPECIFIC PROCESSING OPERATIONS
CUSTOMER CONTACT DATA, PROCESSING OF CONTACT FORMS
Data Subjects: users of the Website who wish to contact customer service by completing the contact form.
Personal data processed: surname, given name, e-mail address, telephone number.
Source of data: directly from the Data Subject.
Purpose of processing: identification, maintaining contact, responding to the user’s enquiries and questions, and providing assistance related to the use of the Services.
Legal basis for processing: the Data Subject’s voluntary consent pursuant to Article 6(1)(a) GDPR.
The Data Subject shall have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
In the event of withdrawal of consent, all personal data shall be erased.
Duration of processing: until the Data Subject’s withdrawal of consent, but for no longer than two years.
Will data be transferred?: no.
SENDING NEWSLETTERS, PROCESSING FOR MARKETING PURPOSES
Data Subjects: users of the Website who have subscribed to the newsletter service.
Personal data processed: surname, given name, e-mail address.
Source of data: directly from the Data Subject.
Purpose of processing: identification; sending, by newsletter, content related to the Services and direct marketing messages.
Legal basis for processing: the Data Subject’s voluntary consent pursuant to Article 6(1)(a) GDPR.
The Data Subject shall have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, all personal data shall be erased.
Duration of processing: until the withdrawal of the consent declaration, i.e. until unsubscribing. We provide an unsubscribe option at the bottom of each newsletter.
Will data be transferred?: no.
PROCESSING RELATING TO USER TESTIMONIALS
Data Subjects: users of the Controller’s Services who recommend the Services on the Website.
Personal data processed: surname, given name, photograph, and other personal circumstances related to the use of the service.
Source of data: directly from the Data Subject.
Purpose of processing: recommending the Services to users of the Website by sharing positive experiences relating to the Controller’s Services.
Legal basis for processing: the Data Subject’s voluntary consent pursuant to Article 6(1)(a) GDPR.
The Data Subject shall have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, all personal data shall be erased.
Duration of processing: until withdrawal of consent.
Will data be transferred?: no.
WEBSERVER LOGGING
Data Subjects: users of the Website whose user activity is automatically logged by the webserver.
Personal data processed: identifier number, date and time of the visit, the address (URL) of the visited page and the time spent thereon, the IP address of the user’s computer, the type and version of the operating system and browser, and users’ searches.
Source of data: the Data Subject.
Purpose of processing: when visiting the Website, the Controller records visitor data in order to monitor the operation of the Services and the Website functions, and to prevent misuse.
Legal basis for processing: the Controller has a legitimate interest in identifying users and preventing misuse [Article 6(1)(f) GDPR].
Duration of processing: one month. Possible consequences of failure to provide data: without the visitor data processed, monitoring the operation of the Services and the Website functions and preventing misuse is not possible. The Data Subject may not object to such logging, as the processing is justified by compelling legitimate grounds (the technical solutions widely used at present) without which the given Service cannot be provided.
DATA OF BUSINESS PARTNERS
Data Subjects: natural-person users of the Controller’s Services.
Personal data processed: surname, given name, residential address, the content of the receipt, and—in the case of a VAT invoice—name, address and tax number; the designation, quantity and purchase price of the service used; method of payment; other personal circumstances related to the use of the service; data appearing on business cards.
Source of data: directly from the Data Subject.
Purpose of processing: use of the Controller’s services; maintaining contact; keeping records of partners and distinguishing them from one another; use of the Services; fulfilment of payment obligations; invoicing.
Legal basis for processing: processing is necessary for the performance of a contract [Article 6(1)(b) GDPR]; with regard to billing data, Article 6(1)(c) GDPR (processing necessary for compliance with a legal obligation to which the Controller is subject, having regard to Számv. tv. (Act C of 2000 on Accounting — Hungarian Accounting Act) 169. § (2)).
Duration of processing: in the case of a contract, 5 years following the term of the contract; with regard to billing data, 8 years in accordance with Számv. tv. 169. § (2).
Possible consequences of failure to provide data: without the personal data processed, the conclusion of the contract, the fulfilment of payment obligations, and invoicing are not possible.
Will data be transferred?: no.
DATA PROCESSED IN THE COURSE OF THE CONTROLLER’S CONTENT PRODUCTION ACTIVITIES
Data Subjects: actors and extras featuring in video content production consistent with the Controller’s production activities, namely in advertising films, behind-the-scenes films, social media videos, photography and audio recordings produced by the Controller.
Personal data processed: surname, given name, e-mail address, telephone number, likeness, audio recording, audiovisual recording.
Source of data: the Data Subject or the casting agency forwarding the data.
Purpose of processing: production of videos, filming, presentation of the video, promotion of the video to a wider audience not specifically determinable in advance, taking photographs and audio recordings, carrying out production, fulfilment of payment obligations, invoicing.
Legal basis for processing: in the case of an extra, the Data Subject’s consent pursuant to Article 6(1)(a) GDPR; in the case of a performer, processing is necessary for the performance of a contract (Article 6(1)(b) GDPR); with regard to billing data, Article 6(1)(c) GDPR (processing necessary for compliance with a legal obligation to which the Controller is subject, having regard to Számv. tv. 169. § (2)).
Duration of processing: 5 years following the term of the contract; with regard to billing data, 8 years in accordance with Számv. tv. 169. § (2). Possible consequences of failure to provide data: production of media content is not possible without the personal data processed.
Will data be transferred?: where the Data Subject consents, the data are transferred to the casting agency, which will thereafter process the data as an independent controller under its own privacy policy.
DATA PROCESSED IN THE CONTROLLER’S CASTING DATABASE
Data Subjects: persons applying to act as performers or extras in relation to films, photography and audio recordings who (in the case of minors via their legal representative) have expressly consented to inclusion in the casting database in the event of an unsuccessful application, as well as persons who, in the absence of a specific call, expressly request inclusion in the Controller’s casting database.
Personal data processed: surname, given name, e-mail address, telephone number, likeness, audio recording, audiovisual recording, special category data relating to specific requirements applicable to performers (e.g. in the case of alcohol advertising, a declaration excluding alcohol dependence; distinctive physical features of the performer which may indicate racial, ethnic or national origin).
Source of data: the Data Subject or the casting agency forwarding the data.
Purpose of processing: selection of performers for advertising films, behind-the-scenes films and other audiovisual media content (social media videos, films), photographs and audio recordings produced by the Controller.
Legal basis for processing: the voluntary consent of the Data Subject—or, in the case of a minor Data Subject, of the Data Subject’s legal representative—pursuant to Article 6(1)(a) GDPR; with regard to special category personal data, the Data Subject’s explicit voluntary consent pursuant to Article 6(1)(a) and Article 9(2)(a) GDPR.
Duration of processing: until the Data Subject’s withdrawal of consent, but for no longer than two years. Prior to deletion, the Controller will send an information e-mail concerning the expiry of the processing period. If the Data Subject does not give consent to the further processing of his or her personal data for a further period (a new maximum two-year period), the data will be deleted.
Possible consequences of failure to provide data: selection of performers for media content produced by the Controller is not possible without the personal data processed.
Will data be transferred?: where the Data Subject consents, the data are transferred to the casting agency, which will thereafter process the data as an independent controller under its own privacy policy.
PERSONAL DATA PROCESSED IN RELATION TO CONTACT PERSONS OF BUSINESSES CONTRACTING WITH THE CONTROLLER, AND IN THE COURSE OF CONTACT
Data Subjects: employees of third parties contracting with the Controller who are designated as contact persons for the performance of the contract, or persons in another work-related legal relationship with them.
Personal data processed: surname, given name, e-mail address, telephone number, position, other data appearing on business cards, likeness, the name of another Contributor provided by the contact person.
Source of data: the Controller’s contracting partner, and—regarding the likeness and the other Contributor—the contact person.
Purpose of processing: maintaining contact; performance of rights and obligations arising from the contract.
Legal basis for processing: legitimate interest in facilitating cooperation between the parties for the conclusion, performance and termination of the contract, and for enabling communication between the parties, pursuant to Article 6(1)(f) GDPR. (Balancing test available upon request.)
Duration of processing: for the period specified under the Számviteli tv., the Áfa tv. (Act CXXVII of 2007 on Value Added Tax) and the Art. (Act CL of 2017 on the Rules of Taxation), as set out above.
Will data be transferred?: no.
PROCESSING OF PERSONAL DATA RELATING TO PERSONS PERFORMING WORK UNDER OTHER WORK-RELATED LEGAL RELATIONSHIPS
Data Subjects: natural persons in a mandate or services (enterprise) relationship with the Controller.
Personal data processed: the names, addresses, e-mail addresses, mother’s name, place and date of birth, tax identification mark, tax number, contact details, identity document or passport number, bank account number, professional CV published on the Website, photo and video recording of the natural-person Contributors contracting with the Controller (suppliers).
Source of data: the Data Subject.
Purpose of processing: conclusion, performance and termination of the contract between the
Controller and the Data Subject; fulfilment of the statutory retention obligation relating to tax documents and accounting records; enforcement of claims; in the event of a legal dispute, the ability to prove the content of the contractual relationship.
Legal basis for processing: for keeping records of the data of the contracting party, performance of a contract pursuant to Article 6(1)(b) GDPR. For issuing and retaining accounting documents, compliance with a legal obligation to which the Controller is subject pursuant to Article 6(1)(c) GDPR.
Duration of processing: on the basis of the obligation set out in the Act on Accounting (2000. évi C. törvény), the Controller shall retain the accounting document for 8 (eight) years following the termination of the Contract, or—if later—in the event of a legal dispute, for 5 (five) years following the closure of the dispute, in order to comply with its statutory obligation.
PROCESSING OF PERSONAL DATA IN CONNECTION WITH EVENTS
Data Subjects: participants in events related to the Controller’s services or to the operation of the company.
Personal data processed: name, position, likeness, audio recording, video recording.
Source of data: directly from the Data Subject.
Purpose of processing: reporting on the event; documenting the event; ensuring the fundamental rights to freedom of expression and access to information; documenting and archiving the company history of the Controller; and marketing promotion of the Controller’s activities and press communications.
Legal basis for processing: the Controller’s legitimate interest under Article 6(1)(f) GDPR in documenting and presenting, in visual form, events that are or increase value for employees, and in organising and conducting professional and marketing events for existing and potential business partners.
Duration of processing: until the dissolution of the company.
Will data be transferred?: within the framework of press communications, the Controller may communicate the data to various press organs and may disclose them in the press and on its own online and social media platforms.
VII. PROVISIONS RELATING TO THE PROCESSING OF MINORS’ PERSONAL DATA
For a minor under the age of 14 and for any Data Subject otherwise lacking legal capacity, consent to data processing may be given only by the legal representative.
A minor who has reached the age of 14 but not yet 16, as well as a Data Subject otherwise of limited legal capacity, may give consent to data processing only with the consent or subsequent approval of the legal representative.
A minor who has reached the age of 16 may give consent independently; for the validity of such legal declaration, neither the prior consent nor the subsequent approval of the legal representative is required.
The Controller is not in a position to verify the authorisation of the person giving consent or to ascertain the content of the legal representative’s declaration; therefore, the Data Subject or the legal representative shall warrant that the consent complies with the applicable laws. When the Services are used, the Controller shall deem the appropriate consent of the legal representative to have been given.
VIII. AUTOMATED DECISION-MAKING AND PROFILING
In the course of data processing carried out under PREXA 2024, we do not engage in automated decision-making or profiling, and we do not process personal data for such purposes.
IX. WITH WHOM MAY WE SHARE YOUR PERSONAL DATA?
IDENTIFICATION OF DATA PROCESSORS
Certain personal data provided to us may, having regard to the purpose of the processing, be transferred to data processors engaged by us. The data processors shall process the personal data received in accordance with the provisions set out in the data processing agreement concluded with the Controller and shall not use such data for any other processing purpose.
Our permanent cooperating data processors are the following:
DATA PROCESSING ACTIVITY | NAME | ADDRESS / CONTACT |
|---|---|---|
Document storage hosting | Google Cloud EMEA Limited, Dropbox ICloud One Drive | 70 Sir John Rogerson’s Quay, Dublin 2, Ireland 1800 Owens Street, Suite 200, San Francisco, California, 94158 One Apple Park Way, Cupertino, California, 95014 98052-6399 US WA Redmond, One Microsoft Way |
Website hosting | Framer B.V. | Rozengracht 207, 1016 LZ Amsterdam, Hollandia |
Meeting recording and note-taking | Atlassian Corporation. | Level 29, 363 George Street, Sydney, NSW 2000, Australia |
Accounting and payroll services | Certax Consultant Kft. | 2049 Diósd, Mandula utca 21. B. ép. Email: certax.consult@gmail.com |
Invoicing, automatic invoice issuance | KBOSS.hu Kft. | 1031 Budapest, Záhony utca 7. Honlap: https://.szamlazz.hu/ E-mail: info@szamlazz.hu |
E-mail service; Microsoft Forms invitations | Microsoft Corporation Google Gmail | 98052-6399 US WA Redmond, One Microsoft WAS 1600 Amphitheatre Parkway, Mountain View, California, 94043 |
Electronic signatures; PDF editing and storage | Adobe Acrobat | Adobe Systems Software Ireland Limited 4-6 Riverwalk, Citywest, Business Campus, Saggart, Dublin 24, Ireland |
Project management and internal communication services | Salesforce, Inc. Mango Technologies, Inc. Adobe Inc.
| Salesforce Tower, 415 Mission Street, San Francisco, CA 94105, United States. +1 415-901-7000 350 Tenth Avenue, Suite 500, San Diego, CA 92101, United States +1 888-625-4258 345 Park Avenue, San Jose, CA 95110-2704, United States. +1 408-536-6000 |
GENERAL TERMS AND CONDITIONS OF DATA PROCESSING
The Processor, in compliance with the GDPR, undertakes to:
a) process personal data solely on the Controller’s written instructions—including any transfer of personal data to a third country or an international organisation—except where processing is required by Union or Member State law applicable to the Processor; in such case the Processor shall inform the Controller of that legal requirement before processing;
b) ensure that persons authorised to process personal data undertake a duty of confidentiality or are under an appropriate statutory obligation of confidentiality;
c) taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of processing and the varying likelihood and severity of risks to the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, where appropriate:
(i) pseudonymisation and encryption of personal data;
(ii) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
When determining an appropriate level of security, particular account shall be taken of the risks arising from processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
d) take measures to ensure that natural persons acting under the Processor’s authority who have access to personal data shall process such data only on the Controller’s instructions;
e) the Controller hereby authorises the Processor in advance to engage a further processor (sub-processor);
f) where the Processor engages a further processor to carry out specific processing activities on behalf of the Controller, the Processor shall by way of a contract or other legal act under Union or Member State law impose on that further processor the same data protection obligations as those set out in the Data Processing Agreement or other legal act, in particular requiring the further processor to provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Where the further processor fails to fulfil its data protection obligations, the Processor engaging it shall remain fully liable to the Controller for the performance of that other processor’s obligations;
g) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR;
h) taking into account the nature of processing and the information available to the Processor, assist the Controller in ensuring compliance with the obligations pursuant to Articles 32–36 of the GDPR (Security of processing; Notification of a personal data breach to the supervisory authority; Communication of a personal data breach to the data subject; Data protection impact assessment; Prior consultation);
i) at the end of the provision of processing services, at the Controller’s choice, delete or return all personal data to the Controller and delete existing copies, unless Union or Member State law requires storage of the personal data;
j) make available to the Controller all information necessary to evidence the deletion of the data and copies, and to enable and contribute to audits, including inspections, conducted by the Controller or by another auditor mandated by the Controller. The Processor shall inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or national or Union data protection provisions;
k) notify the Controller of a personal data breach within 72 hours of becoming aware of it. Such notification shall at least:
(i) describe the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
(ii) provide the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
(iii) describe the likely consequences of the personal data breach; and
(iv) describe the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
l) support the Controller in fulfilling requests by Data Subjects to exercise one or more of their rights granted by the GDPR;
m) where the Processor receives from any Data Subject a request to exercise one or more rights granted by the GDPR, inform the Data Subject to submit the request directly to the Controller and, at the same time, inform the Controller of the request without delay;
n) keep all records required under Article 30(2) GDPR and, where the processing of personal data on behalf of the Controller permits, make those records available to the Controller upon request.
The Processor undertakes to process the personal data in its possession solely in accordance with the applicable legislation.
The Controller shall be entitled, once per year at a date agreed in advance, to verify the performance of the activities recorded in the contract, in particular the manner in which the personal data of the Data Subjects are stored and processed.
If the Processor suffers damage in connection with the Controller’s activities, the Controller shall compensate such damage. If any claim for damages is brought against the Processor or proceedings are initiated in connection with the Controller’s activities, the Controller shall hold the Processor harmless from the damages, imposed fines or penalties within 30 days.
EXTERNAL SERVICE PROVIDERS
A. External intermediary service providers
The Website contains links originating from and pointing to external servers independent of the Controller. The server of an external service provider communicates directly with the user’s device. We draw the attention of Data Subjects to the fact that, due to the direct connection established with the user’s device and direct communication with their equipment, the providers of these links are able to collect user data (e.g. IP address, browser data, operating system data, address of the visited page and time of visit, Facebook user ID, registration plate number provided by the user). Any personalised content potentially displayed to the user is served directly by the external service provider’s server. Detailed information on the processing of data by the servers of external service providers can be obtained from the data controllers listed below.
The external service provider may analyse the user’s browsing habits on Websites using cookies stored on the visitor’s computer or smart device. The data thus collected are stored on the external service providers’ own servers, and their own privacy notices shall apply to such processing.
Detailed information on the use of cookies is provided in the Cookie Notice available on the respective Website and in the Cookie Panel used for managing consent, where you may decide on your consent for each cookie category.
In relation to content shared on various social networking platforms, the service provider enabling the sharing of such content shall qualify as the controller of the personal data, and its own terms of use and privacy policy shall apply to its activities. Such external intermediary services include:
EXTERNAL SERVICE PROVIDER | LINK TO PRIVACY NOTICE |
|---|---|
Meta | https://www.facebook.com/privacy/policies/cookies/?entry_point=cookie_policy_redirect&entry=0 |
Tiktok | |
YouTube |
The data processing carried out within social media platforms is, in all cases, subject to the respective social media platform’s own privacy notice, policy, and practice, which are continuously published on the interfaces operated by the respective service provider. Both the social media platform and the Controller qualify as data controllers.
B. External Web Analytics Companies
For the operation of our web-based services, we use the services of external web analytics and ad-serving companies. The web analytics and ad-serving providers use, in addition to cookies, tracking pixels for the purpose of collecting information relating to the measurement of user habits and the serving of advertisements.
Google Analytics
On our Website we use the Google Analytics audience measurement service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), which analyses user behaviour through the use of cookies. Google Analytics also records the IP addresses of visitors to the Website; however, it shortens them before storage or analysis, thereby anonymising them—where technically possible. The anonymisation takes place within the territory of the European Union or the European Economic Area.
Personal data may be transferred to Google’s servers in the United States, given that Google LLC acts as the processor of Google Ireland Limited. However, the adequacy of this transfer is ensured by the European Commission’s Adequacy Decision C(2023) 4745 concerning the EU–US Data Privacy Framework.
C. Social Media Pixels
On our Website, we use the Meta pixel, which enables Meta to treat visitors to our Website as a target audience for the display of Meta advertisements, so that certain remarketing-related Meta ads appear only to those Facebook users who have shown an interest in our Services.
The Facebook pixel also allows us to analyse the effectiveness of our Facebook advertisements for statistical and market research purposes. In this way, we can determine whether users reached our Website by clicking on a Facebook advertisement. By embedding the Meta pixel on our Website, we have enabled Facebook and Instagram to place a cookie on your device. If you subsequently log in to Facebook or Instagram, or visit Facebook or Instagram pages while logged in, Meta will record your visit to our Website in your profile. The data collected about you are anonymous to us, meaning we cannot determine your identity based on them. However, Meta stores and processes these data, which may therefore be linked to the respective user profile. In the course of using Meta pixels, the Controller (we) and Meta qualify as joint controllers.
The processing of data by Facebook is governed by its own privacy policies. Further information on the functioning of the remarketing pixel and on Meta advertisements in general can be found in Meta’s privacy notice, available at:
https://www.facebook.com/policy.php
You may opt out of data collection via the Meta pixel and the use of your data for Facebook advertisement purposes via the following platform:
http://www.youronlinechoices.com/
The settings are platform-independent, meaning they apply both to desktop computers and mobile devices. Detailed information on the use of cookies and social media pixels is provided in the Cookie Notice and cookie settings section of each Website. Transfers of data to third countries (countries not belonging to the European Union or the European Economic Area) shall take place only where such transfer is expressly provided for in this document and is in compliance with Articles 44–49 of the GDPR. Transfers of personal data from the EU to the USA and to the United Kingdom are based on the European Commission’s adequacy decisions, which have determined that these third countries provide an adequate level of protection for personal data comparable to that under the GDPR.
X. DATA SECURITY MEASURES
Data security means the physical, administrative, and logical protection of personal data.
In the course of our data processing activities, in compliance with our obligations under the GDPR, we take all necessary technical and organisational measures and establish the internal procedural rules required to ensure the enforcement of data security requirements.
We protect the security of data processing through technical, organisational, and structural measures that provide a level of protection appropriate to the risks associated with the processing. During data processing, we maintain:
a) Confidentiality, meaning that information is protected so that only those who are authorised may have access to it;
b) Integrity, meaning that information and the method of its processing are protected for accuracy and completeness;
c) Availability, meaning that the authorised user shall have access to the required information when needed, together with the tools necessary for such access.
We treat all personal data under our control as confidential and protect them by appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorised disclosure, or unauthorised access.
Our IT systems and other data storage facilities used in the course of our activities are located at our registered seat and at the premises of our data processors, in secured areas.
Our own IT systems and those of our partners are adequately protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flooding, as well as computer viruses, hacking attempts, and denial-of-service attacks. Security is ensured through both server-level and application-level protective procedures.
For electronic data processing and record-keeping, we use computer programs that comply with data security requirements. These programs ensure that access to data is possible only for specific purposes, under controlled conditions, and only by persons whose duties require such access.
To reduce the risk of unauthorised access to data stored in our IT systems in the event of a breach, we implement the following measures:
use of firewalls and appropriate antivirus protection;
periodic log analysis based on system logs;
regular IT maintenance, inspection, and continuous monitoring of IT systems;
all computers are protected by individual passwords; access to the shared server is only possible by password via VPN; data stored in cloud systems (Google Drive, OneDrive) are also accessible only by password;
for certain systems, users must employ two-factor authentication (e.g., social media accounts);
consents, subscriptions, and similar confirmations are stored by the systems in an identifiable manner; the Controller protects access to documents and desktop computers with passwords of sufficient strength, as well as through other security measures.
We continuously ensure the adequate physical protection of the data and of the devices and documents containing such data. Based on the current state of technology and our prior experience, the existing security measures are sufficient to manage the risks involved.
XI. RIGHTS AND OBLIGATIONS RELATING TO PERSONAL DATA BREACHES
The Controller endeavours to take all technical and organisational measures that can prevent the occurrence of personal data breaches and, additionally, measures that contribute to the effective management of such breaches and mitigate their impact on the rights and freedoms of Data Subjects.
A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The “destruction” of personal data refers to cases where the data no longer exist, or exist in a form unusable for the Controller.
“Loss” means that personal data continue to exist but are no longer accessible to or held by the Controller.
“Alteration” occurs where personal data have been modified in their state, content, or appearance.
“Unauthorised disclosure” means the sharing of personal data with persons who are not authorised to access them.
“Unauthorised access” refers to a situation in which an unauthorised person is able to become acquainted with personal data.
Personal data breaches can be categorised according to three well-known information security principles:
Confidentiality breach: unauthorised or accidental disclosure of, or unauthorised or accidental access to, personal data;
Integrity breach: unauthorised or accidental alteration of personal data;
Availability breach: accidental or unauthorised loss or destruction of personal data.
When assessing a personal data breach, the Controller may take one of the following four decisions:
If, on the basis of the investigation, it is established that no personal data breach has occurred (for example, because no security was compromised, or the compromise did not concern personal data, or did not result in the outcomes defined in the concept of a breach), the Controller informs any potential notifier accordingly and closes the case.
If the Controller, in line with the principle of accountability, can demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification to the competent supervisory authority may be omitted.
This includes cases where appropriate measures—such as encryption—have prevented unauthorised persons from accessing the data, thereby making them unintelligible without the encryption key. However, even with adequate encryption, notification may still be required if no proper backup of the affected personal data exists.
If none of the above circumstances apply, the Controller’s representative shall, without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, notify the competent supervisory authority.
If, on the basis of the investigation, it is established that the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall, without undue delay, inform the Data Subjects of the breach.
The Controller’s Incident Management Policy regulates:
the designation of the persons involved in incident management;
the procedures for detection and risk assessment of incidents; and
the rules governing notification of the supervisory authority and the information of Data Subjects.
XII. RIGHTS OF DATA SUBJECTS
Below we set out in detail the rights of Data Subjects, which we ensure under the GDPR for the exercise of their right to informational self-determination.
The rights of Data Subjects are not absolute: their exercise may be subject to certain conditions or exceptions.
We can comply with a Data Subject’s request for the exercise of their rights only where this is permitted by data protection legislation, or where we are required to do so under applicable data protection law.
The provisions of this Privacy Notice do not and cannot confer on Data Subjects any rights that extend beyond those established by data protection legislation.
RIGHT OF THE DATA SUBJECT | CONTENT |
|---|---|
a, Right to Transparent Information | You have the right to receive clear, transparent, and easily understandable information on how we process your personal data and on the rights you may exercise in relation to such processing. We fulfil this obligation in this Privacy Notice. |
b, Right of Access to Personal Data | You have the right to be informed whether or not we process your personal data, and, where we do, to obtain access to your personal data and information on how we process them. The purpose of this right is to ensure transparency regarding our processing activities concerning you and to enable you to verify our compliance with data protection laws. Access may be refused only where it would disclose personal data relating to another person or otherwise adversely affect the rights of another individual. |
c, Right to Rectification | You may request that we take reasonable steps to rectify your personal data if you consider that the data we process are inaccurate. |
d, Right to Erasure | This right—also known as the “right to be forgotten”—enables you to request the deletion or removal of your personal data where there is no compelling reason for us to continue processing them, or where their use would be unlawful. The right to erasure is not absolute and is subject to exceptions, for example, where the processing of your data is necessary for the establishment, exercise or defence of legal claims. |
e, Right to Restriction of Processing | You have the right to “block” or restrict further use of your personal data while we are assessing your rectification request, or as an alternative to erasure. Where processing is restricted, we may still store your data but shall not use them further without your consent or a legal basis. To comply with such restrictions, we maintain a record of individuals whose personal data have been “blocked.” |
f, Right to Data Portability | You have the right to receive the personal data we process about you on a structured, commonly used, and machine-readable medium, and to request the transmission of such data to another controller—provided that the processing is based on your consent or on a contract between us, and the processing is carried out by automated means. |
g, Right to Object | You have the right to object, on grounds relating to your particular situation, to the processing of your personal data where such processing is based on legitimate interest. Following your objection, we shall cease processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or where the processing is required for the establishment, exercise, or defence of legal claims. |
h, Right to Legal Remedy | If your rights are violated, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) or bring the matter before a court, as detailed below. |
When you exercise your rights as a Data Subject, we shall inform you, without undue delay and in any event within one month of receiving your request, of the decisions taken and of the measures planned or implemented in response. The information shall be provided through the same channel used for submitting the request, unless you expressly request otherwise.
Except in cases of processing that does not require identification, we may request the provision of additional information necessary to confirm your identity if we have reasonable doubts as to the identity of the natural person submitting the request.
XIII. INFORMATION ON THE DATA PROTECTION OFFICER
When assessing the necessity of appointing a Data Protection Officer (“DPO”), the Controller considered the following criteria during the data protection legal audit, in accordance with Article 37 of the GDPR:
whether the Controller’s core activities involve processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of Data Subjects on a large scale;
whether the Controller’s core activities involve large-scale processing of special categories of personal data.
Based on the above assessment—and in the absence of an obligation under the GDPR—the Controller has not appointed a Data Protection Officer.
XIV. WHERE TO TURN IF YOU HAVE QUESTIONS OR WISH TO SEEK REDRESS?
If you would like to request further information regarding the processing of your personal data or wish to exercise any of your rights listed above, or if you are dissatisfied with the way we have handled your personal data, please contact us.
If you have any questions or comments, you may contact the Controller directly at:
E-mail: hello@whitewhalecreative.com
Please provide as much information as possible to help us identify the data you are requesting, the measure you wish us to take, and the reasons why you believe such action is necessary.
Before assessing your request, we may ask for additional information to verify your identity. If you fail to provide the requested information and, as a result, we are unable to identify you, we may refuse to comply with your request.
Any other comments or observations concerning our data processing may also be submitted in writing, by e-mail.
Similarly, any request received from the e-mail address previously provided to us shall be considered a request originating from the Data Subject.
If a request is submitted from a different e-mail address or in writing, you must provide appropriate proof of your identity as the Data Subject. Without such verification, we are unable to assess or fulfil the request. We generally respond to your request within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of your requests.
We do not charge a fee for such communication or for taking action, except in the following cases:
if you request additional copies of the personal data processed, we may charge a reasonable administrative fee; or
if your requests are manifestly unfounded or excessive, particularly due to their repetitive nature, we may charge a reasonable administrative fee or refuse to act on the request.
We retain complaints, inquiries, and requests submitted to us for six months from receipt, after which they are deleted, except for correspondence related to ongoing matters. Where the enforcement of a legal claim arises in connection with the matter, the data shall be retained for the limitation period applicable to the enforcement of such claim — typically five years, pursuant to Act V of 2013 on the Civil Code (Ptk.).
Data Protection Authority Procedure
If you believe that the processing of your personal data infringes the provisions of data protection legislation, you have the right to lodge a complaint with the competent supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH)
Registered office: 1055 Budapest, Falk Miksa utca 9–11
Mailing address: 1374 Budapest, Pf. 603
Telephone: +36 1 391 1400
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
Right to Judicial Remedy
In the event of a perceived infringement of your rights in connection with the processing of your personal data, you have the right to bring the matter before the competent Regional Court (Törvényszék) (a list of which is available at https://birosag.hu/torvenyszekek).
In Budapest, the competent court is the Budapest-Capital Regional Court (Fővárosi Törvényszék), located at 1055 Budapest, Markó utca 27.
The action may be brought — at your choice — before the court having jurisdiction over your place of residence or place of stay.
XV. AMENDMENT OF THIS PRIVACY NOTICE
As Data Controller, we reserve the right to unilaterally amend this Privacy Notice at any time.
Information regarding any amendments to the Notice will be published on our website and communicated through our newsletter; no further consent from the Data Subjects is required for such amendments.
Budapest, 2025