Data Controller:
Company name: Ex Machina Ltd.
Headquarters: 6725 Szeged, Veres Ács utca 44. 3. em. 7.
Postal address: 6722 Szeged, Honvéd tér 5/B
Tax identification number: 25528228-2-06

These guidelines lay down the data protection and processing policy of Ex Machina Ltd.’s according to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the free movement of such data and Directive 95/46/EC (hereinafter: GDPR),
and of Act CXII of 2011 on information self-determination and freedom of information (hereinafter: Information Act).

The Ex Machina Ltd. processing the general information on personal data of all affected parties by these published Guidelines.The Ex Machina Ltd’s data protection and processing principles are complied with the legislation in force.

The Ex Machina Ltd. only uses data determined in this Privacy Policy for the laid down data-protection and processing policy purposes.All affected parties’ personal data are processed only for the required time, extent, and manner. To ensure the security of your data, our company will do everything necessary and available security measures both from a technical point of view, both according to the procedure and activity of the persons involved in the data management.

These guidelines describe the Ex Machina Ltd.’s (as controller) data processing activities and principles on the https://4spend.hu webpage which are exemplary to the controllers and to the company’s privacy contributors as well. These guidelines are valid until revocation.

In charge of the Company’s data protection:
Name: dr. Luca Gyárfás
Mobile: +36 30 159 6280
E-mail address: [email protected]

1. List of the applied legislation in relation to the data processing:

– Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection
of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR)
– Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”)
– Act XLVII of 1997 on the processing and protection of health care data and associated personal data
– Act C of 2000 on Accounting
– Act CVIII of 2001 on Electronic Commerce and on Information Society Services
– Act C of 2003 on electronic communications
– Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
– Act V/2013 promulgating the Civil Code

2. Definitions

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction;

3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

4.‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the 4.5.2016 EN Official Journal of the European Union L 119/33 framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data
protection rules according to the purposes of the processing

10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

3. The scope of the personal details, the purpose-, legal basis- and term of data processing

The Ex Machina Ltd. will process your information only in connection with the Services and in accordance with this Privacy Policy and applicable data protection
legislation. Your personal data and your information self-determination are especially important to us, that’s why we are committed to securing the information collected about you.

3.1 Visitors data managing on the data controllers website

When you visit https://4spend.com/en, our servers automatically record information about your browsing activity. The purpose of data processing is to audit the operation of the services, improve personalized services and prevent information breaching. The legal basis of data processing is the data subjects consent and the Act CVIII of 2001 on Electronic Commerce and on Information Society Services’ section 13/A paragraph 3. Scope of processed data: information about your browser and (for e.g.: set language)
and various pages address that you are visiting. Term of data processing: 30 days from the date when visited the website.

3.1.1. Used cookies on the website

Similar to most organizations hosting a website, the Ex Machina Ltd. uses cookies on its website (www.4spend.hu). A cookie is a small text file that a website stores on your computer or mobile device when you visit the site. The cookie allows the website to “remember” your actions or preferences over time (such as user name, language, etc.) and other information like your browsing preferences. That way, you don’t have to re-enter them when browsing around the site during the same visit. Cookies will make the website user-friendly and will improve the user experience. It’s not required to accept or enable the cookies.There is a possibility to modify these settings to prevent automatic acceptance and the system can show a notification when it sends a cookie.If you reject the use of cookies, you will still be able to visit our websites but some of the functions may not work correctly. However, we have to inform you that if you reject the use of cookies, some of the functions may not work correctly. Users can delete the cookies from their devices and also can block their appearance on the browsers. Cookies used on the website are not containing enough information to identify the user.

a) Essential session cookies

These cookies are required in order to make it possible for users to browse our website and use its functions.These cookies are valid only for the duration of the actual visit and are automatically deleted from your computer at the end of the session or when you close the browser.

The purpose of data processing is to facilitate your navigation of our website and the use of its functions to provide a seamless user experience. The legal basis of data processing is the electronic commerce services and the Act CVIII of 2001 on Electronic Commerce and on Information Society Services’ section 13/A paragraph 3 Scope of processed data: name, email address, date and time Term of data processing: at the end of the session

b) Persistent Cookies

These kinds of cookies are used to remember the user’s preferences within the website. The visitor can block them during the use of the service or even before.
The user can be oriented about the cookies on the website’s pop up window and also can enable them here on the Enable/ Accept icon. These data cannot be linked to the requisitor’s identifying data and cannot be given to third parties without the requisitors contribution.

Performance cookies
Google Analytics cookies – you can get inform about these here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Google AdWords cookies – – you can get inform about these here:
https://support.google.com/adwords/answer/2407785?hl=hu
The purpose of data processing is to increase the efficiency of the service and to provide a seamless user experience The legal basis of data processing is the consent of the affected person. Scope of processed data: name, email address, date and time Term of data processing: at the end of the session

On this link you can get information about the setups of the most popular browser cookies:
Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-letiltasa-amit-weboldalak-haszn
Microsoft Internet Explorer 11: https://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
Microsoft Internet Explorer 11: https://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge/privacy-faq
Safari: https://support.apple.com/hu-hu/HT201265

3.2. Getting a quotation and enquiring on the website

You, as the visitor of the website, have the possibility to get information about the Ex Machina Ltd.’s services and to get a quotation.In this case, you have to click on the
“Get a Quotation” or the “I’m interested” buttons then on the appearing surface you can send your claim for the quotation and also other questions for the Ex Machina Ltd.

To send the message, you have to apply your email address for further connecting purposes. Giving additional personal data is optional.You can give your consent for the management of your personal data before you sending a message by earmarking the relating square. We’ll manage your personal data until you revoke your consent.
You can send your revoking declaration to us by e-mail at any time, in this case, we’ll delete all of the given personal data immediately.

The legal basis of data processing: the data subjects consent to managing the personal data. The purpose of data processing: performance of services, contact by electronic means.
Scope of processed data: e-mail address, if necessary name, and phone number. Term of data processing: until the revoking of the data subject.

3.3. Using the Chatbot on the website and on Facebook

The data processing begins with your consent after starting the chatbot at the http//4spend.hu. The Ex Machina Ltd. records the whole conversation with the chatbot in the http//4spend.hu as an incoming message. The Ex Machina Ltd.records your personal data needed for your authentication, and also records some of Your answers, which help
the personalized operation of the chatbot.During the conversation, the chatbot introduces you the Ex Machina Ltd.’s services fittingly to your interest.The chatbot will forward the data given during the conversation to the data controller’s proper associates.If you get connected with the data controller at the 4SPEND Facebook page operated by the Ex Machina Ltd. the Ex Machina Ltd. records the whole conversation with the chatbot as an incoming message on the Facebook page of the 4SPEND. The legal basis of data processing is the data subjects consent The purpose of data processing:In the case of willingly given and revocable consent, the data will be used for own marketing activity purposes and for research and direct marketing regarding the Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing.
Scope of processed data:the name and e-mail address given by the data subject, and if necessary the Facebook Messenger ID. Term of data processing: until the revoking of the data subjects consent or until the end of the data processing purpose.

3.4. Data processed with regard to the operation of the telephone client service

The Ex Machina Ltd. provides the possibility of telephone administration for the purpose of giving information to the data subjects about its services, to enlist some services through a phone call, and for the purpose of its client’s complaint reporting. At the telephone client service, among other things you can administer the following matters:
asking for general information about the Ex Machina Ltd’s products and services, asking for a quotation for the purpose of requesting the Ex Machina Ltd’s services, complaint handling

The Ex Machina Ltd. records the phone call conducted with You and informs you about this before the conversation, in this way, You entitled to decide the contributions for the recording.If you are not contributed to the audio recording you are not entitled to telephone administration.You are entitled to hear out the audio recording later and ask for a copy of it.In the case of audio recording, Your right to rectification regarding the GDPR is invalid as its conceptually excluded.If the audio recording is necessary in order to exercise your rights, you can request the Ex Machina Ltd. not to delete the audio recording after the end of the data processing.For fulfilling the request the verification of the legitimate interest is necessary.The locked personal data are manageable only until the existence of the data processing purpose, which is excluding the deletion of personal data.

The legal basis of data processing: the constent of the data subject. The purpose of the data processing: informing the data subject, complaint handling, in a concrete case resolving
other requests, settling legal dispute, proofing the made statements Scope of processed data: the data subjects voice, name, phone number, e-mail address, and other data given by
the data subject regarding the administration. Term of data processing:the time of preservation of the audio recordings recorded by the telephone client service
is 1 year after the recording except if the law orders more than that.

3.5. Personal data processing associated with the newsletter service

On the website, a natural person who registers for the newsletter service can give his/her consent to the processing of his/her personal data by earmarking the relevant square.
The data subject can unsubscribe to the service at any time by using the “unsubscribe” button or sending us his/her unsubscribing declaration by paper/ e-mail.In that case, we’ll stop sending newsletters and delete all the given personal data.

We inform you, that if you get connected with us by electric ways, we’ll not send you automatically newsletters.

Scope of processed data at newsletter sending: name and e-mail address The purpose of data processing: sending promotional materials and newsletters about the data controllers products and services The legal basis of data processing: the data subjects consent Term of data processing: until the revoking of the data subject The recipients of the personal data: the customer service and marketing managers of the data controller

3.6. Information

If you have any problems or questions during enlisting our services, you can get in touch with the data controller at the contact granted in this Guideline.If you don’t have resort to our services, but you reach out to us by e-mail or telephone for the purpose of getting information about that or requesting for quotation, we have to inform you, that we’ll delete the e-mail address, the e-mail sender’s name, phone number, and other willingly given personal data 5 years after receiving that information. Based on this, we are not entitled to send You newsletters or direct marketing materials through your e-mail address without your consent.

5. Transferring personal data to a third country

The user’s personal data are not transferred into third countries. By a third country, we mean a country that is not a member of the European Union.

6. Automated individual decision-making and profiling in relation to personal data handling

In relation to the handling of the user’s personal data, there are no automated individual decision-making and profiling.

7. Rights of the data subject

You, as the data subject whose personal data are managed, have the following rights related to the data processing. We inform you, that you can practice the rights below only against the data controller.

– right to be informed
– right of access
– right to rectification
– right to erasure, “right to be forgotten”
– right to restriction of processing
– right to object
– right to data portability
– right to withdraw consent
– right to complain
– right to a legal remedy

7.1.Right to be informed

The general rules of informing the data subject and the right to be informed:

Where personal data relating to a data subject are collected from the data subject, the controller has to inform the data subject before or at the time when personal
data are obtained about the information regarding the data processing which is in this Guideline. The controller shall provide the data subject prior to that processing with information.

Besides that prior information, the data subject can ask for information at any time during the data processing from the data collector as follows.In that case, the controller shall provide information to the data subject without undue delay and in any event within 25 days of receipt of the request.That period may be extended by two further months where necessary.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may refuse to act on the request.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of
the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. You can read further information about a supervisory authority and seeking a judicial remedy below in this Guideline.

The data controller shall provide information to the data subject free of charge. The controller may either charge a reasonable fee or refuse to act on the request, where requests
from a data subject are manifestly unfounded or excessive, in particular, because of their repetitive character.

7.2 Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. In that case that there is any, we’ll inform the data subject about the occurred costs.

Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

7.3. Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

7.4.Right to erasure (‘right to be forgotten’)

You, as the data subject, shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based or where there is no other legal ground for the processing;
(c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services

Where the controller has made the personal data public and is obliged pursuant to the listing above to erase the personal data, the controller, taking account of available technology and the cost of implementation shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The requests listed above shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims

If one of the reasons listed above exists, and the controller shall not have the obligation to erase personal data, the controller shall provide information for the data subject on action taken within 25 days, marking the circumstances and the reasons for the action.

7.5. Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing; in this case the restrictions apply the time until the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under the reasons above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of
a Member State.

A data subject who has obtained restriction of processing pursuant to the reasons above shall be informed by the controller before the restriction of processing is lifted.

7.6. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

7.7. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent (for e.g. sending a newsletter) or on a contract
(b) the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to the reasons above, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Practicing the right to data portability shall not violate the right to erasure. The right to data portability shall not affect others’ rights and freedom disadvantageously.

7.8. Right to object

You, as the data subject shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

7.9 The right to withdraw consent

The data subject shall have the right to withdraw his or her consent at any time, when the legal basis of data processing is his or her consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The withdrawal of the consent shall take place when the data subject deletes by himself of herself his or her user account, or the withdrawal of the consent can be done by sending a deleting request to the [email protected] e-mail address.

8. Legal remedy, right to complain, and judicial remedy

What are your possibilities, when you think your personal data is not handled rightfully?

8.1. Right to complain
You, as the data subject of the data processing, should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of your habitual residence, and the right to an effective judicial remedy, if the personal data related to you is processed infringingly according to your (the data subjects) assessment. In Hungary, the competent authority is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

Practicing the right to complain does not rule out the possibility of a judicial remedy at a government or judicial authority if the data subject supposes the inappropriate processing of your personal data. Therefore it can be possible to practice the right to complain and to initiate a judicial remedy at the same time. You can take your complaint to the Hungarian National Authority for Data Protection and Freedom of Information, the authority’s contact details are:

Name: Hungarian National Authority for Data Protection and Freedom of Information
Headquarter: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf.: 5.
Telephone: 06 1 391 1400
Fax: 06 1 391 1410
Webpage: http://www.naih.hu
e-mail: [email protected]

8.2. Right to an effective judicial remedy against the NAIH or other supervisory authority.

In case You have turned to the Authority (NAIH) with your problem related to the data processing and the Authority made a decision, you, as the subject of the data processing, have the right to challenge the decision in court. The data subject shall have the right to an effective judicial remedy also where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

Proceedings against a supervisory authority (NAIH) shall be brought before the courts of the Member State where the supervisory authority is established.

8.3.Right to an effective judicial remedy against a controller or processor

You, as the data subject, shall have the right to an effective judicial remedy where he or she considers that his or her rights have been infringed as a result of the processing of his or her personal data.Practicing the right to complain does not rule out the possibility of a judicial remedy at a government or judicial authority if the data subject supposes the inappropriate processing of your personal data.

Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment.

Relating to the Ex Machina Ltd. the courts are the Hungarian courts and relating to the headquarter of the Ex Machina Ltd. this court is the County-court of Szeged or in a case of a special jurisdiction the Tribunal of Szeged.

Such proceedings may be brought also before the courts of the Member State where the data subject has his or her habitual residence unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

9. Compensational responsibility and compensation fee

How do the data controller and data processor responsible for the damage of the data subject?

When an inappropriate data processing causes damage to you, as the data subject, the controller or processor should compensate for any damage which you may suffer as a result of processing. Damage occurs when the law has been infringed or the contract has been violated and the data subject has been suffered financial damage.In the case of illegal data processing, the data subject shall claim a compensation fee.

The data subject shall validate his or her claim for compensation primarily against the data controller. The processor should only have responsibility for the damages, when he or she infringement the law which applied to him or her or he or she didn’t follow the lawful instructions given by the controller. Accordingly, the processor shall not bear responsibility for the data controller’s mistake.

10. Storing of personal data and the security of the data processing

The Ex Machina Ltd.’s IT infrastructures, storage spaces, and other data storage places are located in the company’s headquarter and premises.

We have chosen our IT devices and methods – especially our security system – in the way that during the data processing the processed personal data should be available for the data subject and for the persons authorized to process the personal data, also the authentication and the authentication of the process is secured and it’s protected against the loss of
confidentiality of personal data.

We are protecting your personal data with appropriate arrangements, especially against the case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or against access to, personal data transmitted, stored, or otherwise processed and against the case of personal data becoming inaccessible because of the used technic.

To protect the data files contained in their filing system the Ex Machina Ltd. uses appropriate technical solutions so that way – except in the case of a legal delegation – the stored data cannot be used to create profiles of the natural persons and identify them.

Considering the all-time state of development of the technic, we take care of our data processing’s protection and safety by using such technical, organizational, and institutional arrangements that ensure the security level of your personal data.

The IT network and system of the Ex Machina Ltd. and their partners are secured from computer-related human threats (for e.g.: fraud, espionage, sabotage, vandalism, computer viruses, and computer break-ins, etc.), natural disasters (for e.g.: fire and flood) and against other kinds of adverse effects ( for. e.g.: service outage). The Ex Machina Ltd. ensures the security of its data by server and software leveled defensive actions.

During the personal data processing the Ex Machina Ltd. protects your personal data, so it is available only for the authorized persons (confidentiality), it ensures that the method of the processing is accurate and complete (integrity), and it guarantees the availability of the required data for the authorized users (availability). We have to inform the data subjects and our partners, that the transmitting of the information partly happens through the internet. The data and e-mails transmitted through the internet despite the applied protocol (e-mail, web, ftp, etc.) can be vulnerable to the network threats like unfair acts, disputing of the contract, or revealing/modifying the information. To eliminate this threat, the Ex Machina Ltd. does every safety measure that can be expected from it.

11. Personal data breach and its management

Based on the General Data Protection Regulation (GDPR) personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Therefore every event and occasion is a personal data breach when Your personal data can fall into the wrong hands.

In the case of a personal data breach, we shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to
the supervisory authority and You as the data subject, if the personal data breach is resulting in a risk to the rights and freedoms ofnatural persons.

We are grateful for the trust You have placed in us.

Ex Machina Ltd.