Overon Ltd. Data Processing Statement 

1. Purpose of the Data Processing Statement 

Overon Ltd. (hereinafter referred to as the service provider), as the data controller, acknowledges the content of this legal notice as binding upon itself. 

It undertakes to ensure that all data processing related to its activities complies with the provisions set out in this policy, as well as the applicable national laws and legal acts of the European Union. The data protection principles related to the service provider’s data processing are continuously available at www.overonvr.com/data-processing-statement. The service provider reserves the right to amend this notice at any time. Naturally, any potential changes will be communicated to its audience in due time. If you have any questions regarding this notice, please write to us and our colleague will respond to your enquiry. The service provider is committed to protecting the personal data of its clients and partners, and considers it of utmost importance to respect their right to informational self-determination. The service provider handles personal data confidentially and takes all security, technical, and organisational measures necessary to guarantee the security of the data. Below, the service provider presents its data processing practices. 

Service provider details: Website operator: Overon Ltd. Tax number: 25078022-2-43 Telephone: +36309204171 E-mail: contact@overonvr.com (mailto:contact@overonvr.com) Registered by: Metropolitan Court of Registration Chamber: Budapest Chamber of Commerce and Industry 

2. Details of the Data Controller 

If you wish to contact our Company, you may do so using the contact details above. The service provider will delete all emails it receives, together with any personal data, no later than five years after the disclosure of the data. 

Website operator: Overon Ltd. Tax number: 25078022-2-43 Telephone: +36309204171 E-mail: contact@overonvr.com (mailto:contact@overonvr.com) Registered by: Metropolitan Court of Registration Chamber: Budapest Chamber of Commerce and Industry 

2.1 Data Protection Officer 

Given the size of our Company and the nature of its activities, we are not required to appoint a data protection officer; for data protection matters, Managing Director Csaba Királyházi acts as the contact person. 

3. Scope of Personal Data Processed 

3.1 Personal Data Required for Registration 

The www.overonvr.com website does not have a registration interface. 

3.2 Technical Data 

The service provider selects and operates the IT devices used for processing personal data during the provision of the service in such a way that the processed data are: 

• accessible to those authorised to access them (availability); 
• their authenticity and authentication are ensured (data processing authenticity); 
• their integrity is verifiable (data integrity); 
• they are protected against unauthorised access (data confidentiality). 

The service provider protects the data with appropriate measures against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction. The service provider ensures the protection of data processing security with technical, organisational, and administrative measures that provide a level of protection appropriate to the risks associated with data processing. During data processing, the service provider preserves: 

• Confidentiality: it protects the information so that only those who are authorised can access it; 
• Integrity: it safeguards the accuracy and completeness of the information and the method of processing; 
• Availability: it ensures that when an authorised user needs it, they can access the desired information and that the necessary tools are available. 

The website uses HTTPS encryption, and the transmission of personal data only takes place through secure, SSL-certified channels. 

3.3 Cookies 

3.3.1 Purpose of Cookies 

• They collect information about visitors and their devices; 
• They remember visitors’ individual settings, which may be used, for example, when using online transactions, so these do not have to be re-entered; 
• They facilitate the use of the website; 
• They provide a quality user experience. 
• For customised service, a small data package, called a cookie, is placed and later read back on the user’s computer during subsequent visits. If the browser returns a previously saved cookie, the provider managing the cookie can link the user’s current visit to previous ones, but solely with respect to its own content. 

3.3.2 Strictly Necessary, Session Cookies 

The purpose of these cookies is to allow visitors to browse the website smoothly and seamlessly, use its features, and access the services available there. These types of cookies are valid until the session (browsing) ends; when the browser is closed, these cookies are automatically deleted from the computer or other device used for browsing. 

3.3.3 Third-party Cookies (Analytics) 

On the service provider’s website (www.overonvr.com and its subpages), Google Analytics third-party cookies are also used. By using the Google Analytics service for statistical purposes, the service provider collects information about how visitors use the website. The data is used for website development and to improve the user experience. These cookies also remain on the visitor’s computer or other device used for browsing until they expire or are deleted by the visitor. 

The Google Analytics (GA4) service is only used with your consent, which you may provide on the cookie management interface displayed during your first visit to the website. 

3.4 Data Related to Online Ordering 

www.overonvr.com does not offer an online ordering option. 

3.5 Data Related to Online Administration 

Csaba Királyházi E-mail: contact@overonvr.com (mailto:contact@overonvr.com) 

3.6 Data Related to Newsletters 

There is currently no newsletter service associated with the www.overonvr.com website. 

4. Planned Use and Retention Period of the Data Processed 

The www.overonvr.com website does not collect, process, or store any data from users. The Company processes only technical data necessary for operation (e.g., IP address, browser data, email enquiries). No other personal data is collected. 

Technical data (e.g., IP address, server logs) are retained for a maximum of 30 days, solely for maintaining the security of the system. 

The lifetime of cookies ranges from 1 day to a maximum of 6 months, depending on their type. 

5. Purpose, Method, and Legal Basis of Data Processing 

5.1 General Data Processing Principles 

The service provider’s data processing activities are based on voluntary consent or statutory authorisation. In the case of data processing based on voluntary consent, data subjects may withdraw their consent at any stage of the data processing. In certain cases, processing, storage, or transmission of some of the provided data is required by law, of which we inform our clients separately. We draw the attention of those providing data to the service provider that if they do not provide their own personal data, it is their responsibility to obtain the consent of the data subject. The data processing principles are in accordance with the applicable data protection legislation, in particular: 

• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.); 
• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR); 
• Act V of 2013 on the Civil Code; 
• Act C of 2000 on Accounting; 
• Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing; 
• Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises. 

The legal basis for data processing is the data subject’s consent, the legal obligation of the data controller, the performance of a contract, as well as the legitimate interest of the data controller, if relevant. 

6. Physical Storage Location of Data 

The www.overonvr.com website does not collect, process, or store user data. 

The Company processes only technical data necessary for operation (e.g., IP address, browser data, email enquiries). No other personal data is collected. 

7. Data Transfer, Data Processing, Persons Accessing the Data 

The service provider does not transfer data and does not send data to other parties for processing. 

8. Rights of Data Subjects and Legal Remedies 

The data subject may request information about the processing of their personal data, as well as request the rectification, deletion (except in the case of mandatory data processing), withdrawal, and exercise the right to data portability and objection as indicated when the data was collected, or via the contact details of the data controller above. 

8.1 Right to Information 

The service provider takes appropriate measures to provide all information referred to in Articles 13 and 14 of the GDPR and all notifications referred to in Articles 15–22 and 34 regarding the processing of personal data to data subjects in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. 

8.2 Right of Access 

The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the planned period for which the personal data will be stored; the right to rectification, deletion, restriction of processing, and objection; the right to lodge a complaint with a supervisory authority; information about the sources of the data; the existence of automated decision-making, including profiling, as well as meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The data controller provides the information within one month of receipt of the request. 

8.3 Right to Rectification 

The data subject may request the rectification of inaccurate personal data concerning them processed by the service provider and the completion of incomplete data. 

8.4 Right to Erasure 

The data subject has the right to have the service provider erase, without undue delay, personal data concerning them if one of the following grounds applies: 

• the personal data are no longer necessary for the purpose for which they were collected or otherwise processed; 
• the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing; 
• the data subject objects to the processing, and there are no overriding legitimate grounds for the processing; 
• the personal data have been unlawfully processed; 
• the personal data must be erased to comply with a legal obligation under Union or Member State law to which the controller is subject; 
• the personal data have been collected in relation to the offer of information society services. 

Data erasure cannot be initiated if the processing is necessary for: exercising the right of freedom of expression and information; compliance with a legal obligation requiring processing by Union or Member State law; performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; reasons of public interest in the area of public health, or for archiving, scientific or historical research purposes or statistical purposes in the public interest; or the establishment, exercise, or defence of legal claims. 

8.5 Right to Restriction of Processing 

At the data subject’s request, the service provider will restrict processing if any of the following conditions are met: 

• the data subject contests the accuracy of the personal data, in which case the restriction applies for a period enabling the controller to verify the accuracy of the personal data; 
• the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead; 
• the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defence of legal claims; or 
• the data subject has objected to processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the controller override those of the data subject. 

If processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. 

8.6 Right to Data Portability 

The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, machine-readable format and have the right to transmit those data to another controller. 

8.7 Right to Object 

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them for reasons of public interest or in the exercise of official authority vested in the controller, or for the legitimate interests pursued by the controller or a third party, including profiling based on those provisions. In such cases, the data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims. 

8.8 Automated Individual Decision-making, Including Profiling 

The data subject has the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning them or similarly significantly affects them. 

8.9 Right to Withdraw Consent 

The data subject has the right to withdraw their consent at any time. 

8.10 Right to Judicial Remedy 

If the data subject’s rights are violated, they may take the data controller to court. The court shall proceed with the case as a matter of priority. 

8.11 Data Protection Authority Procedure 

Complaints may be lodged with the National Authority for Data Protection and Freedom of Information: 

• Name: National Authority for Data Protection and Freedom of Information 
• Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. 
• Mailing address: 1530 Budapest, Pf.: 5. 
• Telephone: 0613911400 
• Fax: 0613911410 
• E-mail: [ugyfelszolgalat@naih.hu](mailto:ugyfelszolgalat@naih.hu) 
• Website: http://www.naih.hu 

9. Other Provisions 

For data processing not listed in this notice, information will be provided at the time the data is collected. We inform our clients that, under statutory authorisation, courts, prosecutors, investigative authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, the Central Bank of Hungary, or other bodies may contact the data controller to request information, data disclosure, data transfer, or the provision of documents. The service provider will only disclose as much personal data as is strictly necessary for the purpose of the request, provided the authority has specified the exact purpose and scope of the data. 

In force from: 1 January 2025 – Version: 1.5