The Privacy Policy of MrCoin Ltd. and Shinrai Kft. (collectively MrCoin.eu)

We hereby inform you that as a result of the General Data Protection Regulation (GDPR) adopted by the European Union, and applicable from 25 May 2018, we have introduced some changes concerning the use of our services that serve the even wider ranging protection of the personal data of our users.

From the very beginning, we have considered the fully compliant protection of user data to be exceptionally important, so we have adjusted the conditions of controlling and processing your personal data in compliance with the new regulation.

Users of the www.mrcoin.eu website operated by MrCoin Ltd. may contact us as specified in the Terms of Use.

The provision and the use of our services requires us to process your personal data, for which we always request your prior consent.

In the present Privacy Policy that is based on it, we specify and make available to all our clients our data processing principles and practices. Our objective is to ensure that our operation is compliant with the effective legislation of the European Union and in particular the UK and Hungary on data protection and data processing, and to assure that our clients can feel fully secure as regards the lawful processing of their personal data as well as in relation to their use of our services.

As Controllers, MrCoin Ltd., a company registered in the United Kingdom (MrCoin Ltd., 96 Kensington High Street, London, United Kingdom, W8 4SG) and Shinrai Kft., a company registered in Hungary (1025 Budapest, Vérhalom utca 40., email: [email protected]) cooperate in the interest of providing the service pursuant to an agreement they have entered into, under which Shinrai Kft. provides software development, operator, sales support, customer service and agency services to MrCoin Ltd.

I. The legislative background of our data processing:

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR – General Data Protection Regulation: https://eur-lex.europa.eu/eli/reg/2016/679/oj)
  • Hungary’s Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
  • Hungary’s Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing
  • Hungary’s Act CLV of 1997 on Consumer Protection
  • Hungary’s Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services
  • Hungary’s Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
  • Data Protection Act 1998 of the United Kingdom, as legislation applicable to the seat of MrCoin Ltd.
  • Hungary’s Act V of 2013 on the Civil Code

II. Fundamental concepts of data processing/Definitions

“data subject” means any natural person identified or identifiable, directly or indirectly, by reference to specific personal data;

“personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“joint processing or processing by multiple parties” means the range of cases in which the framework of data processing is established jointly by the processors;

“restriction of processing”: means the marking of stored personal data with the aim of limiting their processing in the future;

“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“pseudonymisation”: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

“filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;

“third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“supervisory authority concerned” means a supervisory authority which is concerned by the processing of personal data because: a) the controller or processor is established on the territory of the Member State of that supervisory authority; b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or c) a complaint has been lodged with that supervisory authority;

“cross-border processing” means either a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

“objection” means a statement issued by a data subject in which the data subject objects to the processing of his/her personal data and requests the discontinuation of data processing or the deletion of the data processed;

“data processing” means the performance of technical tasks associated with data processing operations, irrespective of the method and tools used to perform the operations and the place of application, provided that the technical task is performed on the data;

“erasure of data” means the rendering of data to be unrecognisable so as to prevent restoration of the data;

“third person” means a natural or legal person or organisation without legal entity that is not identical to the data subject, the controller or the processor;

“terminal or Bitcoin ATM” means a special internet kiosk for the sale and purchase of cryptoassets.

III. Who processes the data of clients? – designation of Controllers:

MrCoin Ltd. and Shinrai Kft. participate in conducting the sale and purchase transactions of virtual cryptoassets (cryptocurrencies such as Bitcoin, Ether, Litecoin and other cryptocurrencies, crypto assets, hereinafter Cryptoassets, so, as Controllers, they determine the purposes and means of the processing of personal data jointly, therefore they constitute Joint Controllers. In the present Data Processing Policy, the two companies shall be collectively referred to as Company, Controller or MrCoin.eu. We also inform you that in the case of the special Internet kiosk terminal for the sale and purchase of Cryptoassets (Bitcoin ATM) operated in the customer service area of Virpay Pénzforgalmi Szolgáltató Kft. (located at H-9200 Mosonmagyaróvár, Szent István út 49.) we conduct video surveillance with recording video cameras using the system operated by the owner of the premises, VirPay Kft., so in respect of the images recorded of the persons entering the premises, Virpay Kft. also constitutes a joint controller.

IV. To whom may MrCoin.eu disclose personal data? – Processors, and designation of data processing operations:

Minervatel - Minerva-Soft Kft. (seat: 1117 Budapest, Infopark sétány 1, Building "I”, Hungary) – cloud-based telephone exchange service: call-centre service with voice recording, web assistant service – www.minervatel.com

Zendesk Inc. (seat: 30 Eastbourne Terrace, W2 6LA London, United Kingdom) online support and helpdesk service – www.zendesk.com

Facebook Ireland Limited (seat: 4 Grand Canal Square Grand Canal Harbour Dublin, D02, Ireland) online support service – www.facebook.com

Google Inc. (seat: 1600 Amphitheatre Parkway, Mountain View, California, 94043 United States; contact entity: Google Kft.): online support and helpdesk e-mail service – www.google.com

Heroku (seat: The Landmark @ 1 Market St. Suite 300 San Francisco, California, 94105 United States of America) online cloud platform service – www.heroku.com

Amazon Web Services, Inc. (410 Terry Ave North Seattle, WA 98109-5210, United States of America) online cloud platform service – https://aws.amazon.com/

MailerLite (seat: Paupio 46, Vilnius, Lithuania) newsletter sending service – www.mailerlite.com

We may also transmit and store the data that our clients make available to us in locations outside the European Economic Area (EEA). They may be processed by participants working for us or one of our suppliers, outside the territory of the EEA. They may include any person participating in supplying your order by processing your payment data, or someone performing customer service tasks. By providing your personal data to us, you also approve such transmission, storage and processing as well.

Our data processors provide appropriate guarantees (binding corporate rules – BCR – and certificates) for the compliance of their data processing, and they have issued binding and enforceable undertakings to use the appropriate instruments – including those associated with securing the rights of data subjects. Detailed information is available on the internet pages of the processors.

V. What principles does MrCoin.eu apply to the processing of personal data?

Personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

b) collected for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes; (’purpose limitation’);

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with, the fundamental purposes (‘accountability’).

The principles of data processing and the obligation to comply with them are applicable equally to both the Controller and the Data Subject.

VI. The legal basis and purpose of the data processing conducted by MrCoin.eu

The legal bases of data processing:

  • Consent of the Data Subject/Client/User: Data processing begins with the data sheet completed in person and/or the data you provide through the website or the Bitcoin ATM, and by granting of voluntary, specific, express, informed and unequivocal consent to data processing (Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Article 5, paragraph (1), section a) – GDPR Article 6, paragraph (1), section a)).

  • Legal provisions: Article 17/B, paragraph (3) of Act CLV of 1997 on Consumer Protection also prescribes that all verbal complaints received by telephone at customer services accessible by telephone, as well as all telephone communications between customer services and consumers must be recorded.

  • The controller’s legitimate interest: prudent performance of the client identification in the interest of preventing money laundering and the financing of terrorism associated with the service provided by the data processor, based on an evaluation of the interests of compliance explained in detail in the chapter on “Purposes of data processing”.

VII. Purposes of data processing:

The purpose of our data processing is data processing, communication and marketing calls required for the sale and purchase of virtual crypto assets, and the sales support, operations and customer services associated with the conducting of such sale and purchase transactions.

The processing of your personal data is particularly important for compliance with the client identification requirements associated with the prevention of money laundering and the financing of terrorism, and for fulfilling our obligation to cooperate with the authorities for these purposes.

Due to the – partial – anonymity of crypto assets, as a system of instruments for making payments, they may occasionally be used for criminal purposes, or third parties may be required to use them in order to conceal criminal offences, who therefore use our services under coercion.

Our Company cooperates fully with the authorities in order to assist with the discovery of such criminal offences, and we shall transfer all the data we have processed relative to the transactions concerned (as well as transactions similar to transactions used for committing a criminal offense in terms of different criteria) to the authorities, if they request us to do so specifically. This is also our obligation under the law.

Our Company does not disclose and does not make available the personal data processed to third parties for the purposes of the marketing activities of such third parties or for any other purpose without the data subject’s specific, advance consent.

VIII. What personal data does our Company process?

In order to minimise the processing of your personal data – and primarily, though not exclusively based on the sum involved in the transaction – we have established distinct levels and we request personal data from the data subjects depending on the level of the transaction. You can find information about these levels and the various associated obligations in our AML policy: - https://www.mrcoin.eu/en/aml-policy.

The range of data that we may request for identifying clients and rendering services is as follows:

  1. Contact mobile phone number
  2. Contact e-mail address
  3. Full name of client
  4. Bank account number
  5. High-resolution photo of the client’s bank card, showing his/her full name with the bank card number and date of validity fully covered
  6. High-resolution scanned copy of a photographic ID document suitable for identification issued by a government authority
  7. High-resolution scanned copy of a document suitable for certifying residential address
  8. A photo of you in which you hold in your hands 2 documents and a sign we send to you

Additional personal data that may be registered:

  1. Signature of client or of the representative of legal person client
  2. Birth name of client or of the representative of legal person client
  3. Mother’s maiden name of client or the representative of legal person client
  4. Place and date of birth of client or the representative of legal person client
  5. Dates and times of visits to our website
  6. IP address of the visitor’s / user’s computer
  7. Type of browser used by the visitor / user
  8. Settings of the browser used by the visitor / user such as screen resolution, available fonts and extensions, language settings, time zone, etc.
  9. Address of the user’s Cryptoasset wallet
  10. Recordings of calls that clients make to our customer service department along with identification data of the recordings (see Section X.3.)
  11. Facial images of clients obtained from images recorded of the clients using the special internet kiosk terminals for the sale and purchase of Cryptoassets (e.g. Bitcoin)
  12. Data shown in the certificate of incorporation of legal person clients

As the user, You are responsible for the accuracy and authenticity of the data provided. We are not liable for any disadvantages resulting from non-compliance of the aforementioned.

IX. How does MrCoin.eu process personal data? – the technical and administrative background of data processing

  1. The Controller, and within its sphere of competence, the Controller’s prevailing data processor, subcontractor or employee must implement adequate safeguards and appropriate technical and organisational measures to protect personal data, as well as adequate procedural rules to enforce the provisions of this Act and other regulations concerning confidentiality and security of data processing.

    All natural and legal persons in an employment or contractual relationship with the Controller recognise the provisions of the present Data Processing Policy and the effective legislation as binding on themselves and their procedures. Their employer or principal is responsible for their activities.

    Data must be protected by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique. For the protection of data stored in different electronic filing systems, suitable technical solutions shall be introduced to prevent – unless this is permitted by law – the interconnection of data stored in these filing systems and the identification of the data subjects.

    The controller and its subcontractors shall take the prevailing level of technological development into account when determining and applying the measures intended to ensure data security. In case of several possible data processing solutions, the one offering a higher level of security for personal data shall be selected, unless that would represent disproportionate difficulties for the controller.

  2. The www.mrcoin.eu website uses cookies to be able to distinguish between its users and to further develop the service. MrCoin.eu manage the personal data submitted to it via the mrcoin.eu website in compliance with the present policy.

    In the interest of providing personalised services, it primarily uses session cookies that support browsing. Cookies are alphanumeric text files that, in themselves, do not facilitate personal identification in any manner, they are simply suitable for identifying a browser. If a browser returns a previously saved cookie, the service provider processing that cookie has the option of connecting the user’s current visit with previous ones, but only in respect of its own content.

    By using the website, you consent to MrCoin.eu sending one or more cookies to your computer, which will allow your unique browser to be identified. You can disallow the use of Google cookies at the following URL: http://www.google.hu/policies/technologies/ads/

  3. The www.mrcoin.eu website also contains links to external servers (not managed by MrCoin Ltd.), and if you visit the pages referenced by such links, they may place their own cookies and other files on the user’s computer, they may collect data or request personal data as well. MrCoin Ltd. shall not be liable for any such activities.

  4. Decisions based on automated data processing

    In the case of certain transactions, our Company may process and evaluate your data using computing equipment, in an automated fashion. If the processing is performed using computing equipment only, we shall provide an opportunity for you to state your position in respect of the decision made on the basis of automated data processing upon request, and we shall provide information to you about the method used and its essential features.

X. The practical implementation of certain characteristic cases of data processing

  1. Registration of client data for identification

    As a client, or when you place an order through the www.mrcoin.eu website, you provide your personal data to us, and, on the website, you tick the boxes to indicate that you have read and understood the document entitled “Terms of Use” and the content of the “Privacy Policy, and that you expressly consent to the processing of your data, or you visit us in person, and we record your personal data on a form and you consent to the processing of your data by signing the form in person.

  2. Photocopying of the client’s documents for identification

    Your document containing personal data may be photocopied if that is unavoidable by means of any other reasonable alternative, and even then, the copy shall be produced so that the copy only contains the strictly necessary data. In such cases we shall inform you in advance about the purpose of making the photocopy, and you shall have to grant your consent in writing, expressly and freely. In order to minimise the processing of your personal data – primarily but not exclusively determined on the basis of the sum involved in the transaction and/or the character of the transaction – we have established various levels of identification, and we shall request and process electronic copies or photos of the documents containing personal data in accordance with those levels.

  3. Recording camera surveillance, recording of phone calls

    In the interest of the operation of the terminals (Bitcoin ATMs) we operate ourselves (in the DOBLO Wine Bar, H-1071 Budapest, Dob u. 20., and at the customer service premises of Virpay Kft., H-9200 Mosonmagyaróvár, Szent István király út 49.), and in the interest of protecting our services to clients from disturbances, and in the interest of protecting human life, bodily integrity, personal freedom, security of assets and business secrets, our Company takes photographs and records video, which we may store and use as evidence for security purposes.

    By entering the premises, clients acknowledge and accept the fact of camera surveillance and expressly approve such photos and video to be recorded of them. In compliance with our obligations as a data controller, we have displayed information signs about the existence and operation of the surveillance system, which clearly inform the persons using the service that we are using a system of electronic surveillance and recording cameras on the premises in question.

    The images recorded (unless they are used in an official or court procedure or the data subject requests that they be retained) shall be deleted sixty days after recording in compliance with Article 31, paragraph (4) of Act CXXXIII of 2005 on the Rules Governing the Activities of Personal and Asset Protection Security Services and Private Investigators.

    The persons authorised to view the recordings are as follows: if in the event of a suspected infringement, in case of extraordinary events, and in the case of complaints and objections, the executives and operative staff of our Company and our internal data protection officer, and in the case of queries from authorities or courts of law, the person representing the body making the query, and in the case of the terminal operated on the customer service premises of Virpay Pénzforgalmi Szolgáltató Kft. in Mosonmagyaróvár, the operative management of MrCoin.eu through the banking security officer of Virpay Pénzforgalmi Szolgáltató Kft.

    The detailed rules of operation of the recording camera surveillance system are specified in the document entitled “Information about the electronic surveillance system”, available on the premises concerned and at https:.

    The legal basis for the recording of phone calls is prescribed by the law: Article 17/B, paragraph (3) of Act CLV of 1997 on Consumer Protection requires that all verbal complaints received at telephone customer service facilities as well as all telephone communications between the customer service facility and consumers shall be recorded. If you do not consent to the recording of our telephone conversation with you, you may not use the assistance of our Company’s customer service facility for the use of our – otherwise automated – services.

    The purpose of recording phone calls is to allow verbal statements made about the use of the service to be tracked, to protect the rights of the data subjects and the data controller, and to guarantee ex-post verification.

    When we record phone calls, we store the following data:

    • Phone number
    • Time of the call
    • The audio recording of the conversation
    • The personal data provided during the call

    Phone calls are retained for 5 years. The audio recordings can be accessed based on the caller’s phone number and the date of the call, as unique identifiers.

    If we receive a request to that effect, we make the recorded audio available in electronic format in accordance with the following procedure: The data subject requests to obtain a copy of the recorded conversation in writing, indicating the telephone number used for the phone call and the time of the call (at a minimum, the year, month and day of the call), also specifying a password to be used for encryption, and the address to which he/she requests the copy to be sent. The written request shall be sent to the Company’s seat, and the Company shall review whether providing the information would be lawful within 30 days of receipt. If there is no legal obstacle to the provision of the information, the Company shall send the data requested to the requesting party in electronic format, as requested. If it is unable to provide the data requested, it shall inform the requesting party of the rejection of the request including a reason.

  4. Data processing associated with the sending newsletters of the provision of information about the services and sector of activities of our Company, and of marketing.

    Legislative background of the data processing: Hungary’s Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (the Info Act) and Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR – General Data Protection Regulation).

    Legal basis for processing: signing up in accordance with Article 5, paragraph (1), section a) of the Info Act and Article 6, paragraph (1), section a) of the GDPR, i.e. the data subject’s consent given freely and expressly on the data controller’s website.

    The purpose of data processing is to allow the data subject to receive up-to-date information about the data controller’s services and sector of activities, and the commercial offers of the data controller or its partners.

    Range of data processed: the name and e-mail address of the persons who sign up, the IP address of their computers, type of their web browsers.

    Period of data processing: until the unsubscription, i.e. until consent is withdrawn by clicking on the link at the bottom of the newsletter.

XI. Our tasks in case of a personal data breach

Our tasks in case of a personal data breach are as follows:

  • We shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
  • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we, the controller, shall communicate the personal data breach to the data subjects without undue delay.
  • We shall maintain a registry of personal data breaches.

Based on their obligation to cooperate with us, our processors are required to report any personal data breaches associated with the data being processed to us without undue delay after they become aware of it.

If it is possible to establish in compliance with the principle of accountability that the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons, it is not necessary to report it.

Our clients shall not have to be informed about the personal data breach if:

  • the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach;
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
  • providing such information would involve disproportionate effort.

XII. The rights of Data Subjects – provision of information about the processing of personal data

  • Right to being informed:

    The principle of fair and transparent data processing requires that the data subject should be informed of the fact and the purposes of data processing. The controller shall also make available to the data subject further information that is required for establishing fair and transparent data processing, taking into account the specific circumstances and contexts of the processing of personal data.

  • Right of access (GDPR Article 15);

    The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information.

  • Right of withdrawing consent (GDPR Article 13);

    The data subject shall have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

  • Right to rectification (GDPR Article 16);

    The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  • Right to erasure, or “the right to be forgotten” (GDPR Article 17)

    The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

    c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

    d) the personal data have been unlawfully processed;

    e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

  • Right to restriction of processing (GDPR Article 18);

    The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

    a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

    b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

    c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims

    d) the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.

  • Notification obligation regarding rectification or erasure of personal data or restriction of processing (GDPR Article 19);

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

  • Right to data portability (GDPR Article 20);

    The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if the processing is based on consent provided for the processing of the data subject’s personal data for one or more specific purposes and the processing is carried out by automated means.

  • Right to object (GDPR Article 21).

    The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her necessary for the purposes of the legitimate interests pursued by the controller or a third party, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

XIII. Your rights associated with data processing and their assertion

At your request, we shall provide information about your data that we control and that the processor commissioned by us processes, their sources, the purpose, legal grounds and period of the processing, the name, address and processing activities of the processor, the circumstances and impacts of personal data breaches and the measures taken to avert them, and – if we transmit your personal data – the legal grounds for the transmission and the recipient.

You also have the right to receive information about whether we are processing your personal data, and you have the right to access your personal data and information.

We shall provide the information requested, or a copy of the personal data that are being processed, as soon as possible after the submission of your request, but in any case no later than within 30 days, in writing, in an intelligible format. At your request, we shall provide the information in electronic format.

The provision of information shall be free of charge if you have not submitted a previous request for information concerning the same range of information in the same year. Otherwise, we may charge a reasonable fee to cover our administrative costs. We shall refuse to honour your request for information or access only in the legitimate cases specified in law.

If we refuse your request for information or access, we shall inform you in writing about the legislative provision on whose basis we rejected your request. If we reject your request, we shall inform you of your options to obtain legal redress in a court of law as well as your option to lodge a complaint with the National Data Protection and Freedom of Information Authority (seat: H-1024 Budapest, Szilágyi Erzsébet fasor 22/c.; hereinafter the Authority).

We shall provide information – via our homepage – about any material changes to our data processing relative to the present policy, as well as the circumstances and impact of any data breaches that occur and the measures taken to avert them.

As a data subject you have the right to receive your personal data that we process in a structured, commonly used and machine readable format and you have the right to transmit those data to another controller without us hindering you (right to data portability).

How long do we keep and when do we restrict or rectify your personal data?

Personal data may only be processed and stored for a specific purpose, the exercise of a right or to discharge an obligation.

Within 30 days of receiving your request to that effect, we shall take action to have your personal data erased if the purpose of the legal ground of the processing is no longer in place, you object to the data processing, or the data processing is unlawful for any other reason.

The Terms of Use also stipulate that on account of the rules and the special character of our Company’s service – in the interest of complying with requests of authorities associated with the service, with the exceptions stipulated in the present policy – erasure of the personal data can be requested after at least 5 years from registration in accordance with the rules stipulated in Article 17 of the GDPR, unless required otherwise by other obligations prescribed in law.

At your request, we shall rectify the inaccurate personal data, or complete the incomplete personal data concerning you that we process without undue delay.

We shall restrict the processing of your data if one of the following applies: a) you contest the accuracy of your personal data; b) the data processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; c) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise of or defence against legal claims; or d) you object to the data processing.

You may object to the processing (an objection is a declaration in which the client objects to the processing of his or her personal data and requests discontinuation of the data processing and/or erasure of the data processed). We shall review your objection as soon as possible within the submission of your request, but in any case within 30 days, we shall make a decision as to whether the objection is justified and we shall inform you of our decision in writing. Our internal data protection officer shall participate in the assessment of the objection or complaint.

If we are unable to comply with your request for rectification, restriction or erasure, we shall inform you within 30 days of receiving your request, in writing, about the factual and legal reasons for rejecting your request for rectification, restriction or erasure.

If you disagree with our decision concerning your request for rectification, restriction or erasure or your objection, or if we fail to respond within the deadlines specified above, you can turn to a court of law. You can also turn to a court of law if any of your other rights – in particular, your right to being informed – are infringed.

When authorities request data from us based on legislative provisions – provided the authority in question specifies the range of data requested and the purpose of data processing – we only provide the data necessary for achieving the purpose of the request.

XIV. Legal remedies

You can address any requests for information, questions, suggestions and complaints associated with data processing to the officer of our Company in charge of tasks associated with data protection by sending an e-mail to us at [email protected] or by sending mail to H-1025 Budapest, Vérhalom utca 40.

You can submit complaints about data processing to the United Kingdom’s Information Commissioner’s Office on the https://ico.org.uk/ website or by sending an e-mail to [email protected], or to the supervisory authority appointed in Hungary, that is the National Data Protection and Freedom of Information Authority, whose address is H-1125 Budapest, Szilágyi Erzsébet fasor 22/c, mailing address: 1530 Budapest, Pf. 5., Phone: +36 (1) 391-1400 Fax: +36 (1) 391-1410, E-mail: [email protected], website: www.naih.hu.

If your rights as a data subject are infringed, you can also petition a court of law to have them enforced.

We request and suggest that before initiating a procedure with the authorities or a court of law, please take advantage of the option to submit a request, complaint or objection to MrCoin.eu.

We reserve the right to amend the provisions of the present policy within the legitimate bounds of effective legislation.

25 May 2018