Danuba Trade and Service Company Limited Liability Company

The General Data Protection Regulation 2016/679 of the European Parliament and of the Council (hereinafter the “GDPR”) and Act CXII of 2011 on the Right to Informational Self- Determination and Freedom of Information (hereinafter the “Infotv.”), Danuba Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 2000 Szentendre, Kovács László utca 57.; company registration number: 13-09-175759; hereinafter referred to as the “Data Controller”) has adopted the following data protection and data management policy (hereinafter referred to as the “Policy”) for the purpose of the lawfulness and protection of the data processed:

Data processing by the Data Controller and its purpose

1.1.The purpose of the Policy is to ensure that the Data Controller complies with data protection rights and data security requirements, to prevent unauthorised access, unauthorised alteration and disclosure of data, and to set out the rules to be followed in the event of a data breach.

1.2. The Data Controller is a company primarily engaged in the provision of precision agricultural services, the distribution of fertilizers and pesticides. The purpose of data processing is to ensure the effective operation of the business of the Data Controller and to facilitate the exercise of the rights and the performance of the obligations of the Data Controller.

1.3 The Data Controller shall process personal data only in accordance with the provisions of the Information Act and the GDPR, to the minimum extent and for the minimum period necessary to achieve the purpose set out in point 1.2 of this Policy. If the purpose of the processing ceases to exist or the processing of the data is otherwise unlawful, the Data Controller shall delete the data.

1.4 The Data Controller shall not use or process the personal data provided for any purpose other than that specified in point 1.2 of this Policy.

1.5 The Controller is entitled to process personal data in the following cases:

where the data subject has given his or her consent in a statement drafted in advance by the Controller to the processing of his or her personal data in accordance with the provisions of this Policy 1.2. the processing of
personal data is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into a contract;

processing is necessary for compliance with a legal obligation to which the Controller is subject; processing is
necessary for the protection of the vital interests of the data subject or of another natural person;

processing is necessary for the purposes of the legitimate interests pursued by the Controller; or
processing is necessary for the performance of a task carried out for reasons of public interest.

1.6. Data Controller and contact details:

Danuba Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság Postal address/address: 2000 Szentendre, Kovács László utca 57. Phone: +36-30/861-7498
E-mail: kapcsolat@danuba.hu

URL: www.danuba.hu

1.7 The Data Controller shall record and process the data provided by the persons completing the consent form specified in Section 3 of this Policy, the data of the senders of letters and e- mails received, the data of private partners and contractual contacts contracted with the Data Controller, as well as all data that can be obtained from public records or other lawful means, the recording and processing of which is necessary for the fulfilment of the Data Controller’s obligations or the enforcement of its legitimate interests. The Data Controller also records and processes the data provided by the data subjects through the online platform as defined in point 10.1 of this Policy (hereinafter the “Website”) in accordance with the provisions of this Policy.

1.8. If personal data relating to the data subject is collected from the data subject, the Controller shall communicate it to the data subject at the time of obtaining the personal data: the
identity and contact details of the Data Controller and his representative, the
contact details of the Data Protection Officer, the
purposes and legal basis of the processing, the
storage period of the personal data or, if this is not possible, the criteria for determining that period; whether the
provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, and whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data; the
controller shall also inform the data subject of his or her rights and remedies with regard to the processing. The controller shall provide the information in writing and, in relation to data provided on the website, in a notice on the controller’s website.

1.9 Where the Controller has obtained personal data relating to the data subject from a non data subject, the Controller shall communicate to the data subject, no later than one month from the date of obtaining the personal data, the information set out in point 1.8 of this Policy, together with the categories of personal data concerned, the source of the personal data and, where applicable, whether the data originate from publicly available sources.

If the Controller uses the personal data for the purpose of contacting the data subject, the communication under this point shall be made at least at the time of the first contact with the data subject, and if the data are likely to be communicated to another addressee, at the latest at the time of the first communication of the personal data.

1.10. Employees of the Data Controller who handle personal data are required to keep the personal data they have obtained confidential. The Data Controller shall employ only those who have signed a confidentiality declaration.

1.11. The security of the data processing carried out by the Data Controller is guaranteed by the following technical and organisational measures: access

to personal data stored electronically is restricted to employees authorised to do so by their job, after they have provided their
access password;
regular backups; and

confidentiality declarations made by employees.

Data Protection and Privacy Principles

2.1. Legality, fairness and transparency

The controller processes personal data lawfully and fairly and in a transparent manner for the data subject.

2.2. Purpose limitation and data economy

The Data Controller collects and processes personal data for the explicit and legitimate purposes set out in point 1.2 of this Policy and does not process personal data in a way incompatible with those purposes. The Controller’s processing is limited to that purpose.

2.3. Accuracy

The Controller shall make every effort to ensure that personal data which are inaccurate for the purposes of processing are erased or rectified without undue delay.

2.4. Limited shelf life

The Controller shall store personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data shall be stored in electronic form. The Controller shall review the justification for the processing of the stored personal data every 5 years and shall delete the processed data if it ceases to exist.

2.5. Integrity and confidentiality

The Data Controller shall process personal data in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical and organisational measures.

2.6 Prohibition of special categories of personal data

The Data Controller does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data or biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.

Declaration of consent

3.1 In the case of all personal data processing which is not based on a legal provision and where there is no legal basis for the processing pursuant to Article 6(1)(b), (d) or (f) of the

GDPR, the Controller shall obtain the consent of the data subject in the form of a consent form before processing is started.

3.2 The Data Controller shall provide the data subject with the consent form in an intelligible, clear and plain language, in a pre-drafted form, prior to the processing of the personal data. The controller shall inform the data subject of the processing before giving consent.

3.3 The consent form and the accompanying information notice contain the information required by Article 13 of the GDPR, in particular:

the name and contact details of the Data Controller;
the name and contact details of the Data Protection Officer; the
purposes for which the personal data are processed; the
legal basis for the processing; the
duration of the processing; the
information to the data subject on his or her rights concerning the processing, the possibilities of access to the data; the means of rectification, erasure, processing and remedies.

3.4 The purpose of the consent form is to enable the Data Controller to clearly demonstrate to the supervisory authority or the data subject that the data subject has consented to the processing of his or her personal data.

3.5 The data subject may withdraw his or her consent at any time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent prior to the withdrawal, or the lawfulness of processing based on other legal bases (e.g. Article 6(1)(b), (d) or (f) of the GDPR).

3.6 In the case of a child under the age of 16, consent to the processing of personal data of the child may only be given by the person who has parental authority over the child.

Rights of data subjects

4.1.The Data Controller considers it important to respect and enforce the rights of data subjects in relation to the processing of their personal data, and hereby informs the data subjects that it respects the personal rights of data subjects and that it acts in accordance with the substantive and procedural rules of Hungarian and EU law, the present Policy and other internal regulations in force.

4.2. Right of access of the data subject

The data subject has the right to access the information provided for in Article 15 of the GDPR Regulation, in particular to receive feedback from the Controller as to whether or not his or her personal data are being processed and, if such processing is taking place, to have access to the personal data.

At the request of the data subject, the Controller shall provide the data subject with a first copy of the personal data free of charge. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

4.3. Right to rectification

The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. The data subject shall also have the right to obtain the rectification of incomplete personal data.

4.4. The right to be forgotten

The data subject shall have the right to obtain from the Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay.

The controller undertakes to delete personal data relating to the data subject without undue delay where.

the personal data are no longer necessary for the purposes set out in point 1.2 of this Policy; the data subject withdraws his or her consent as set out in point 3.5 of this Policy;
the data subject objects to the processing; or
the personal data must be erased in order to comply with a legal obligation imposed on the Controller.

The right to be forgotten does not apply, i.e. the Data Controller does not delete the data if the processing is necessary

for the exercise of the right to freedom of expression and information;
for compliance with an obligation to which the Data Controller is subject or for the performance of a task carried out in the public interest;
on grounds of public interest in the field of public health;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
for the establishment, exercise or defence of legal claims.

4.5. Right to restriction of processing

The data subject shall have the right to obtain from the controller, at his or her request, the restriction of processing if.

the data subject contests the accuracy of the personal data – in which case the restriction applies for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the data and requests instead that the use of the data be restricted; the

Controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
the data subject objects to the processing – in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller override those of the data subject.

4.6. Right to data portability

The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable

format and the right to transmit such data to another controller without hindrance from the Controller to whom the personal data have been provided.

4.7. The right to object

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the legal basis set out in point 1.5(v) or (vi) of this Policy. In such a case, the Controller shall no longer process the personal data, unless the processing is justified on compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

4.8. Right to lodge a complaint

The data subject has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of personal data concerning him or her is unlawful.

Supervisory body with jurisdiction and competence in Hungary:

National Authority for Data Protection and Freedom of Information postal address: 1530 Budapest, Pf.: 5.
address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36/1-391-1400

Fax: +36/1-391-1410
E-mail: ugyfelszolgalat@naih.hu URL: http://naih.hu

The supervisory authority will inform the person concerned of the procedural developments regarding the complaint.

4.9. Obligation to notify the Data Controller

The Data Controller shall inform all data subjects about the rectification, erasure or restriction of processing of their personal data.

4.10. Right to compensation

If the Data Controller causes damage to another party by unlawful processing of the data subject’s data or by breaching the requirements of data security, the Data Controller shall compensate the damage. The Controller shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

4.11. Any request relating to the processing of data in connection with the exercise of the data subject’s rights set out in this Chapter may be made in writing or electronically and addressed to the Data Controller. The Data Controller shall decide on the request within one month of its receipt, after consulting the Data Protection Officer, and shall inform the data subject of the action taken in response to the request or, if no action is taken, of the reasons for the lack of action, of the possibility of lodging a complaint with the supervisory authority or of appealing to the courts.

Data Management Register

5.1 The Data Controller shall keep a register of the processing activities carried out by the Data Controller concerning personal data covered by this Policy.

5.2 The data management register contains the following information:

The name and contact details of the controller and the name and contact details of the Data Protection Officer; the
purpose of the controller’s processing;
a description of the categories of data subjects and the categories of personal data; the time limits envisaged for the erasure of the different categories of data; and

a general description of the technical and organisational measures.
5.3 The Data Controller shall keep the data management register in electronic form.

5.4 At the request of the supervisory authority, the Data Controller shall make the register of data processing available to it.

5.5 The data management records are not public and may be consulted by the Data Controller and by the supervisory authority in the performance of its duties under the GDPR.

5.6 The Data Controller shall ensure that any changes affecting the personal data processing carried out by the Data Controller are promptly entered in the data processing records.

Transfers of data by the controller

6.1 The Data Controller shall record all data transfers in its Data Management Register, by recording the elements set out in point (c) of Article 25/E(1)(1) of the Data Protection Act.

6.2 The Data Controller shall only comply with a request for data transfer from a legal person or natural person other than the Data Controller if the data subject authorises it to do so in writing. The data subject may give such an authorisation in advance, which may be for a specified period and to a specified number of legal or natural persons making the request.

6.4.Regardless of the data subject’s statement, the Data Controller shall comply with requests from the authorities (police, courts, prosecutors’ offices) and national security services in criminal matters.

6.5.The Data Controller shall not inform the data subject or any other body or person of the request received from the national security services, its fact, content and the action taken.

6.6 The Data Controller shall keep a log of the transfer of data, if it is carried out from an electronically kept register, in accordance with the legal provisions applicable to the register. The Data Controller shall keep the data in the logbook from the time of their creation for the period provided for in the legislation on records and shall provide the technical means necessary for their consultation.

6.7 Based on the available data, the Data Controller shall examine the existence of the conditions for data transfer, the feasibility of the request, and, if necessary, shall provide further information.

6.8.The Data Controller shall decide on the executability of the request within 3 days in case of a request by a cooperating body pursuant to Act CCXXII of 2015 on the General Rules of Electronic Administration and Trust Services (hereinafter referred to as the “Cooperating Body”), otherwise within 15 days. In case of refusal to transfer data, the Cooperating Body may initiate a consultation, which shall be conducted by the Data Controller within 3 days.

6.9 If the conditions for the transfer of data are met, the Data Controller shall make the data available to the body or person making the request. The costs incurred in connection with the transfer of the data shall be borne by the body or person making the request.

6.10. The transfer of personal data to a country outside the European Union or to an international organisation in accordance with the relevant provisions of the GDPR may only take place with the consent of the Data Controller.

The data breach

7.1 In the event of a personal data breach, the Data Controller shall notify the supervisory authority without undue delay and no later than 72 hours after becoming aware of the personal data breach.

7.2. Data controller in the event of a notification:

describe the nature of the personal data breach and its number;
provide the name and contact details of the Data Protection Officer or other contact person who can provide further information;
describe the likely consequences of the personal data breach; and
describe the measures taken or envisaged by the Data Controller to remedy the personal data breach.

7.3 The Data Controller shall keep a record of the data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it.

7.4 If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall also inform the data subject of the personal data breach without undue delay.

Data Protection Officer

8.1 Data subjects may contact the Data Protection Officer in all matters relating to the processing of their personal data and the exercise of their rights.

8.2 The Data Protection Officer’s duties:

provide information and professional advice to the Controller and to the employees of the Controller carrying out processing;
monitor compliance with the GDPR and other national or EU data protection provisions and

the Controller’s internal rules on the protection of personal data;
provide professional advice;
cooperate with the supervisory authority; and
act as a contact point for the supervisory authority on matters relating to processing and consult it on any other matter as appropriate.

8.3 The DPO shall be bound by a duty of confidentiality in the performance of his or her duties. This duty shall survive the termination of the DPO’s duties.

8.4 The DPO shall carry out his or her tasks with due regard to the risks associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.

8.5 The Controller shall ensure that the DPO is involved in all matters relating to the protection of personal data in an appropriate and timely manner.

8.6 The Data Controller shall support the DPO in the performance of his or her tasks as set out in point 8.2 of this Policy by providing him or her with the resources necessary to perform those tasks, to access personal data and processing operations and to maintain the DPO’s level of expertise.

8.7 The Data Protection Officer shall not be dismissed or sanctioned by the Data Controller in connection with the performance of his or her duties. The DPO shall be directly responsible to the Chief Executive of the Controller.

8.8 The DPO shall not accept instructions from anyone in connection with the performance of his or her duties.

8.9 The Data Protection Officer may also perform other tasks at the discretion of the Data Controller’s Chief Executive Officer.

8.10. Data Protection Officer and contact details:

István Zajácz
Postal address: 2000 Szentendre, Kovács László u. 57 Phone: 36 30 915 6634
E-mail: istvan.zajacz@danuba.hu

Data Processor

9.1 The Data Controller uses data processors to facilitate its activities, whereby certain processing activities are carried out by data processors.

9.2 The Data Controller shall only use data processors that provide adequate guarantees for the implementation of appropriate technical and organisational measures to ensure compliance with the legal requirements for data processing and the protection of the rights of data subjects.

9.3 Processors shall not engage any other processor without the prior written authorisation of the Data Controller, either on a case-by-case basis or in general. In the case of a general

written authorisation, processors shall inform the Controller of any planned changes concerning the use or replacement of additional processors, thereby giving the Controller the opportunity to object to such changes.

9.4. Data processors and their contact details
Danuba Ltd. does not currently use an external data processor. Online data management
10.1. Website

The Data Controller also carries out data collection activities on its own online platform (hereinafter referred to as the “Website”) in order to achieve the purpose set out in point 1.2 of this Policy. The Data Controller, as the operator of the http://www.danuba.hu/ Website, discloses in this section the rules for the processing of data of users of the services available on the Website and of visitors to the Website, carried out in the context of the services related to the Website.

Data subjects can provide information and data about themselves in two ways on the Website:

through personal data expressly provided or made available when using the services of the Website; or
through information provided to the Data Controller in connection with the use of the

Website, when visiting the Website or using

it.

The scope of the data processed is set out in the following table:

The Data Controller places a small data packet (hereinafter “Cookie”) on the data subject’s computer for the purpose of personalized service and reads it back during a subsequent visit. If the browser returns a previously saved Cookie, the Cookie management service provider has the possibility to link the current visit of the user concerned to previous visits, but only in respect of its own content.

Cookies used by the Data Controller:

Session Cookie: the Session Cookie is automatically deleted after the data subject’s visit. These Cookies are used to make the Website work more efficiently and securely, and are therefore essential to enable certain features of the Website or certain applications to function properly.

Persistent Cookie: Persistent Cookies are also used by the Data Controller to provide a better user experience (e.g. to provide optimised navigation). These Cookies are stored for a longer period of time in the browser’s Cookie file. The duration of this period depends on the settings of the data subject’s web browser.

The purpose of Cookies is to distinguish data subjects from each other, to identify the current session of users, to store the data provided during the session and to prevent data loss.

The duration of the data processing is until the end of the visit to the website in the case of Transition Cookies, or until the deletion of the data subject in other cases.

The data subject has the right to delete the Cookies from his or her computer or to disable the Cookies application in his or her browser.

The Website may also contain links to external servers (not managed by the Data Controller or data processors), and the sites accessible through these links may place their own cookies or other files on your computer, collect data or request personal data. The Data Controller disclaims any liability for these.

No personal data is collected and processed, used or identified in connection with the placement of Cookies.

10.2. Newsletter

The Data Controller also carries out online advertising activities in connection with the purpose set out in point 1.2 of these Rules and Regulations (hereinafter referred to as the “Newsletter”). Subscription to the Newsletter is based solely on voluntary consent.

In order to enhance the security of the Data Controller’s data, the Data Controller uses a two- step subscription process, whereby the subscriber, after providing his/her name and e-mail address and ticking the checkbox, receives a confirmation e-mail to finalise his/her consent to the Data Controller lawfully processing his/her data in the context of its online advertising activities.

The Data Controller will not send unsolicited commercial communications and the data subject may unsubscribe from the Data Controller’s Newsletter free of charge, without any restriction and without giving any reason. In such a case, the Data Controller shall consider the data subject as having exercised his/her right to be forgotten as provided for in point 4.4 of these Rules. The unsubscription is made by clicking on the link in the newsletter.

The Data Controller ensures that the data it processes are accurate and complete. This does not, however, oblige the Controller to prevent subscribers from making unauthorised use of

the personal data of others. On this basis, the Controller shall not be liable for any misuse of the personal data of others.

10.3. Community sites
The data controller can be reached on the following social networking sites.: Facebook (https://www.facebook.com/DanubaHU/)

The use of social networking sites and the contact, communication and other operations permitted by the social networking site with the Data Controller through them is based on voluntary consent.

The Data Controller communicates with data subjects via the Community Site only when the data subject contacts the Data Controller via the Community Site, and thus the purpose of the scope of the data processed becomes relevant when the data subject contacts the Data Controller via the Community Site.

The purpose of the presence on social networking sites and the related data processing is to share, publish and market the content of the Website on social networking sites. The social networking site also allows the data subject to be informed about the latest products.

Based on the terms and conditions of the social networking site, the data subject voluntarily consents to follow and like the content of the Data Controller. By way of example, the data subject can subscribe to the news feed posted on the Facebook wall by clicking on the “like” link on the Facebook wall, and thereby consent to the publication of news and offers of the Controller on his/her own wall, and unsubscribe by clicking on the “dislike” link on the same wall, and delete unwanted news feeds on the wall by using the settings on the wall.

The data subject may evaluate the Data Controller textually and numerically, if the social networking site so allows.

Internal data management by the controller

11.1 The Data Controller is entitled to process personal data relating to the work of its employees. In order to protect the security of this personal data, paper documents are stored in a locked cabinet.

11.2 Only the person exercising the rights of the employer may have access to documents containing personal data relating to employees.

11.6 The office mobile phone provided by the Data Controller to the employee can be used with a passcode. The employee shall ensure that no unauthorised person has access to the personal data stored on the office mobile phone and to its passcode which he/she has obtained in connection with his/her work. The employee shall immediately notify the Data Controller of the theft or loss of the office mobile telephone.

11.7 The office laptop provided by the Data Controller to the employee may be used with a password. The employee shall ensure that the personal data stored on the office laptop and the password that he/she has obtained in connection with his/her work cannot be accessed by

unauthorised persons. To this end, they must switch off the device or lock it with a screen lock when not in use. You must not conduct official business in a public place without unauthorised access to the computer. No official business may be conducted while connected to a public Wi-Fi network unless the employee is also connected to a virtual private network (VPN). The employee must report the theft or loss of an office laptop to the Data Controller without delay.

11.8 At the Data Controller’s headquarters, premises and branches, the personal computer used by the employee may be used with a password. The employee shall ensure that no unauthorised person has access to the personal data stored on the personal computer and to his/her password which he/she has obtained in connection with his/her work. To this end, he must switch off or lock the device when not in use, in particular when not in the vicinity of the personal computer.

11.9 Office mobile phones, office laptops and personal computers provided to employees may be used for work purposes only. If the employee stores his/her personal data on the office mobile phone, office laptop or personal computer, he/she acknowledges that the Data Controller may have access to them by placing his/her personal data on the device. In the event of a breach of this provision, the employee shall be considered the controller and shall be subject to the obligations and liability established in relation to the controller.

11.10. The employee shall store his/her e-signature card in a way that minimises the risk of loss or theft. The e-signature card and the codes (PIN, PUK) required for its use must not be stored in the same place.

11.11. Employees must not leave any document containing personal data on their desks when they are not at their place of work.

11.12. The Data Controller records incoming telephone calls only with the consent of the data subject.

11.13. In the event of a data protection incident, the employee who becomes aware of the incident shall notify the Data Controller immediately, but no later than 24 hours after becoming aware of the incident, by e-mail or telephone, so that the Data Controller can comply with its obligations under Chapter 7 of this Policy as soon as possible.

Other provisions

In matters not covered by these Rules, the applicable Hungarian legislation, in particular Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.), Act V of 2013 on the Civil Code and the applicable European Union legislation, in particular the General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council, shall apply.

Budapest, 14 March 2023.