THE 2026 COMPETITION CALENDAR IS OUT

en

Data processing statement

Data processing statement

Table of Contents

  • What is the purpose of this notice?

  • Details of the Data Controller

  • What data processing activities take place on the Website?

  • What rights do Data Subjects have?

  • Notification and action obligations

  • Possible recipients of personal data

  • Cookies

  • Google Analytics

  • Other provisions

1. What is the purpose of this notice?

SXS TROPHY Kft., as the operator of the website available under the domain www.sxstrophy.hu (hereinafter: the "Website"), adopts this Privacy Notice in order to provide all essential information to natural persons using the Website's services (hereinafter: "Data Subjects") in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and to assist Data Subjects in exercising their rights set out in Section 4.

The legal basis for the information obligation is Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: "GDPR"), applicable from 25 May 2018, and Section 20 of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: "Infotv.").

When preparing and applying this notice, we took into account the recommendations of the Hungarian National Authority for Data Protection and Freedom of Information regarding the data protection requirements of prior information, as well as Article 5 of the GDPR, in particular the principle of accountability set out in Article 5(2).

2. Details of the Data Controller

Name: SXS TROPHY Kft.
Website: https://sxstrophy.hu/
Company registration number: 13-09-235471
Registered office: 2161 Csomád, Zahora utca 14./B.
Tax number: 32616123-2-13
E-mail: bartalattila1@gmail.com
Phone number: (not provided)

3. What data processing activities take place on the Website?

This section sets out the key circumstances for each processing activity required by the GDPR and other sectoral legislation.

3.1 Data processing related to newsletter subscription

To provide Data Subjects with current information related to the use of our services, the Website offers the option to subscribe to a newsletter. The following information applies:

3.1.1 Processed personal data and purpose of processing

  • Name — so that we can identify the Data Subject in our emails

  • E-mail address — so that we know where to send the newsletter about updates

3.1.2 Legal basis

The Data Subject's consent (GDPR Article 6(1)(a); Infotv. Section 5(1)(a); and Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activity (Grt.) Section 6(1)).

3.1.3 Retention period

Personal data is processed until consent is withdrawn. Consent can be withdrawn at any time by clicking the "Unsubscribe" button in the newsletter.

3.1.4 Method of processing

Electronically.

3.2 Contacting us via the Website

The Data Controller may be contacted through the Website for any purpose. Details are as follows:

3.2.1 Processed personal data and purpose of processing

  • Name — identification of the Data Subject

  • E-mail address — contact and, if a service is used, communication with the Data Subject

  • Phone number — contact and, if a service is used, communication with the Data Subject

3.2.2 Legal basis

  • If the Data Subject contacts us to request general information, processing is based on a legal obligation, with regard to GDPR Article 6(1)(c) and (2), Infotv. Section 5(1)(b), and Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Elkertv.) Section 13/A(1) and (3).

  • If the Data Subject contacts the Data Controller for the purpose of harbor and trailer rental, boat and trailer purchase, boat service, or registering for boating programs, processing is necessary to take steps at the request of the Data Subject prior to entering into a contract (GDPR Article 6(1)(b)). During the chosen service, the legal basis is performance of a contract (GDPR Article 6(1)(b)).
    (Note: this paragraph appears unrelated to SXS Trophy and may be leftover template text.)

  • If the Data Subject acts as a contact person on behalf of a legal entity, the legal basis for processing the above personal data is the legitimate interest of the Data Controller and the legal entity represented by the Data Subject (GDPR Article 6(1)(f)). Both parties have a legitimate interest in efficient business communication during service performance and in informing each other's designated representative about any material circumstances affecting their contract. No infringement of the contact person's right to informational self-determination can be established, as it is their job-related or contractual obligation to facilitate communication and provide personal data for this purpose.

3.2.3 Retention period

For 1 year following collection, or for 2 months from the selected program date.

3.2.4 Method of processing

Electronically.

3.2.5 Provision of personal data

Without these personal data, we cannot perform our services; providing the data is a precondition for concluding a contract.

3.3 Data processing related to race or tour applications

The Website allows users to apply for races and organized tours. In addition to contact details, the applicant must send us a completed application form. The purpose of processing the personal data included in these documents is also indicated. The following applies:

3.3.1 Processed personal data and purpose of processing

  • Name, mother's name, copy of identity document, nationality, place and date of birth — identification of the applicant

  • Permanent address — notifying the applicant by post about course-related information, if necessary

  • Phone number (optional) — communication and information about course details

  • E-mail address, address — communication and information about course details

3.3.2 Legal basis

Performance of a contract between the Data Controller and the applicant (GDPR Article 6(1)(b)).

3.3.3 Retention period

For 1 year after collection, or for 2 months from the last day of the selected event.

3.3.4 Method of processing

Electronically, automatically.

3.3.5 Provision of personal data

Without these personal data, the Data Controller cannot register applications; providing the data is a precondition for concluding a contract.

3.4 Data processing related to issuing invoices

After the services are provided, the Data Controller issues an accounting document in accordance with Act C of 2000 on Accounting (hereinafter: "Sztv."). Details are as follows:

3.4.1 Processed personal data and purpose of processing

  • Name — supporting the accounting settlement of service performance (economic event)

  • Address / for sole proprietors: registered seat (postal code, city, street name, house number together) — supporting the accounting settlement of service performance

3.4.2 Legal basis

Mandatory processing based on legal obligation (GDPR Article 6(1)(c), in conjunction with Infotv. Section 5(1)(b) and Sztv. Section 166(1)–(3)).

3.4.3 Retention period

For 8 years following the issuance of the accounting document (with regard to Sztv. Section 166(6) and Section 169(1)–(2)).

3.4.4 Method of processing

Electronically, manually.

3.4.5 Provision of personal data

Providing the personal data is required by law; without it the Data Controller cannot issue an accounting document.

4. What rights do Data Subjects have?

The Data Subject may request free information about the details of the processing of their personal data and, in cases defined by law, may request rectification, erasure, restriction (blocking) or limitation of processing, and may object to the processing of such personal data. Requests and applications under this section may be addressed to the Data Controller's contact details in Section 2.

4.1 Right of access

The Data Subject may receive confirmation from the Data Controller as to whether their personal data are being processed and may access such personal data and information about the processing.

4.2 Right to rectification

At the Data Subject's request, the Data Controller shall rectify inaccurate personal data without undue delay and may also complete incomplete personal data, including by means of a supplementary statement.

4.3 Right to erasure

At the Data Subject's request, the Data Controller shall erase personal data where it is no longer needed, consent is withdrawn, an objection is made, processing is unlawful, etc.

4.4 Right to be forgotten

If requested, the Data Controller will seek to notify any other data controllers who may have learned of and possibly made public the Data Subject's data.

4.5 Right to restriction of processing

At the Data Subject's request, the Data Controller restricts processing if the accuracy of the data is contested, processing is unlawful, an objection is made, or the Data Controller no longer needs the data.

4.6 Right to data portability

The Data Subject may receive the personal data they provided in a structured, commonly used, machine-readable format and may transmit it to another controller.

4.7 Response to requests

The Data Controller shall examine the request and decide within the shortest possible time, but no later than 30 days (or 15 days in the case of an objection), and shall inform the applicant in writing. If the request is refused, the decision shall include the factual and legal reasons.

4.8 Enforcement of rights

We respect the Data Subjects' rights and strive to respond properly and on time. Before seeking remedies from authorities or courts, Data Subjects are kindly requested to contact the Data Controller to resolve disputes amicably.

If no resolution is reached, the Data Subject may enforce their rights in court under Act V of 2013 on the Civil Code (the lawsuit may be initiated at the competent court based on the Data Subject's place of residence or stay), and may also submit a complaint to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, 1125 Budapest, Szilágyi Erzsébet fasor 22/c).

5. Notification and action obligations

5.1 Notification of recipients

We will notify recipients to whom the Data Subject's personal data were disclosed about any rectification, erasure, or restriction, unless this proves impossible or requires disproportionate effort. At the Data Subject's request, we will inform them about these recipients.

5.2 Method and deadline for information

Information about measures taken following requests in Section 4 will be provided within one month (unless the Data Subject requests otherwise), electronically. This deadline may be extended by up to two months if necessary due to complexity or number of requests. The Data Subject will be informed of the extension and the reasons within one month.

Oral information may be provided if the Data Subject otherwise verifies their identity.

If we do not take action on a request, we will inform the Data Subject within one month of the reasons and of their right to complain to NAIH and seek a judicial remedy.

5.3 Verification

In exceptional cases, if there are reasonable doubts about the identity of the person submitting the request, we may request additional information necessary to confirm identity in order to prevent unauthorized access.

5.4 Costs of information and actions

Information and actions related to Section 4 are provided free of charge. If a request is manifestly unfounded or excessive (especially due to repetitive nature), we may charge a reasonable fee or refuse to act.

6. Possible recipients of personal data

6.1 In connection with services

If personal data are provided for services available on the Website, the Data Controller's hosting provider, as a processor, may access them. During service performance, employees of the Data Controller may access personal data only to the extent required by their job duties.

6.2 In connection with social media platforms

The Website has several social media pages (Facebook, Twitter, Google+, Instagram, YouTube). For example, if the Data Subject "likes" our page on Facebook or "follows" us on Twitter, we may learn personal data available publicly on their profile. Information about processing on these platforms is provided in the relevant provider's own privacy policy.

6.3 In connection with invoicing

For invoicing, the tax authority may access personal data provided for this purpose.
Authority: National Tax and Customs Administration of Hungary (NAV)
Contact: https://www.nav.gov.hu/nav/kapcsolat

7. Cookies

To ensure proper operation, in some cases we place small data files (cookies) on the Data Subject's device, similarly to most modern websites.

7.1 What is a cookie?

A cookie is a small text file stored on the user's device (including mobile phones). It allows the website to remember settings (e.g., language, font size, display preferences) so the user does not have to set them again on each visit.

Cookies used on the Website:

  • Google Analytics

  • Google Tag Manager

  • Google AdWords Remarketing Tag

  • Facebook Pixel Code

  • Smartlook Code

7.2 What do we use cookies for?

Cookies are used primarily to improve user experience, provide clear content, and simplify purchases. Cookies can be deleted or blocked; however, in this case the Website may not function properly.

Cookies are not used to identify Data Subjects personally; they serve only the purposes described above.

7.3 How can cookies be managed?

Cookies can be deleted or blocked in most browsers. If blocked, certain settings must be made again each time and some services may not function.

More details are available at www.AllAboutCookies.org and in the help pages of specific browsers (links listed in the Hungarian version).

8. Google Analytics

8.1 The Website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses cookies stored on the user's computer to help analyze use of the Website.

8.2 Information generated by cookies about the use of the Website is typically transferred to and stored on a Google server in the United States. With IP anonymization enabled, Google shortens the user's IP address within EU Member States or other EEA states.

8.3 Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the Website operator, Google will use this information to evaluate use, compile reports, and provide other services related to website and internet use.

8.4 The IP address transmitted by the browser within Google Analytics is not merged with other Google data. Users can prevent storage of cookies through browser settings; however, this may limit full functionality. Users can also prevent Google from collecting and processing the data generated by cookies (including IP address) by installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=hu

9. Other provisions

9.1 Activity data collection

The Data Controller may collect data about the Data Subject's activity that cannot be linked to other data provided during registration or data generated when using other websites or services.

9.2 Processing for a different purpose

If the Data Controller intends to use the provided data for a purpose other than the original collection purpose, the Data Subject will be informed and their prior explicit consent will be obtained, and they will be given the option to prohibit such use.

9.3 Data security

The Data Controller undertakes to ensure data security and take technical measures to protect data from destruction, unauthorized use, and unauthorized alteration. In line with relevant recommendations, the website uses the HTTPS protocol, providing a higher level of security than HTTP.

9.4 Record-keeping obligation

The Data Controller maintains records of processing activities under its responsibility in accordance with GDPR Article 30.

9.5 Personal data breach

A personal data breach is a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. In the event of a breach, the Data Controller shall act in accordance with GDPR Articles 33 and 34. The Data Controller records breaches, including facts, effects, and remedial measures.

9.6 Amendments

The Data Controller may amend this Notice unilaterally at any time and will inform Data Subjects via the Website. After amendments, use of the Website is conditional upon the Data Subject expressly accepting the changes via the Website in the manner provided.

Effective date: 2023-01-01