Barion Pixel
Name: Műegyetemi Hallgatói Kft.
Address: 1111 Budapest, Műegyetem rkp. 3.
Registration Authority: Fővárosi Bíróság, mint Cégbíróság
Company registration number: Cg. 01-09-989523
Tax number: 24080659-2-43
E-mail Address:
Honlapjának címe:
Customer service e-mail address:
Complaints handling location and contact details:  1111 Budapest, Műegyetem rkp. 3.
Munkanapokon 10.00 – 16.00 óra között
Store provider name: BlazeArts Kft. /
Store provider address: 6090 Kunszentmiklós, Damjanich J. u. 36. 1/8.


  1. Introduction
  2. In case of modification of the Privacy Policy, MÜHASZ will notify the User by publishing the changes on the Website at least eight (8) days before the modification comes into force. By using the Webshop after the entry into force of the amendment, the User expressly accepts the amended Privacy Policy.
  3. The MÜHASZ treats personal data confidentially and takes all security, technical and organisational measures to guarantee the security of such data.


– Act CXII of 2007 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Data Protection Act);

– Act CVIII of 2003 – on certain aspects of electronic commerce services and information society services (Eker. tv.);

– Act XLVIII of 2007 on the Basic Conditions and Certain Restrictions on Commercial Advertising (Act XLVIII of 2007);

– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);

– Act C of 2006 on Accounting (Accounting Act);;

– Act CLV of 2007 – on Consumer Protection (Fgytv.);

– Act V of 2007 – on the Civil Code (Civil Code);

– Act XLVIII of 2007 – on the basic conditions and certain restrictions of economic advertising (Grt.);

– Act CVIII of 2007 – on certain aspects of electronic commerce services and information society services

  1. MÜHASZ undertakes not to impose any sanctions on any User who refuses to provide the optional data.
  2. Definitions used in this Privacy Notice

Data File: the set of data processed in a single register;

data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and executes decisions regarding the processing (including the means used) or has them executed by a processor on its behalf; data controller: Műegyetemi Hallgatói Kft. (registered office: 1111 Budapest, Műegyetem rkp. data processing: any operation or set of operations which is performed upon the data, regardless of the procedure used, in particular the collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, alignment or combination, blocking, erasure and destruction of personal data and the prevention of their further use;

processing: the performance of technical tasks related to data processing operations, whatever the method and means used to carry out the operations and wherever they are carried out, provided that the technical task is performed on the data;

data processor: a natural or legal person or unincorporated body which processes data on the basis of a contract with the controller, including a contract concluded pursuant to a legal provision;

‘data marking’ means the marking of data with an identifier in order to distinguish them;

data destruction: the total physical destruction of a storage medium containing data;

data transfer: making data available to a specified third party;

data erasure: rendering data unrecognisable in such a way that their recovery is no longer possible;

data blocking: the marking of data with an identification mark for the purpose of limiting their further processing either permanently or for a specified period of time;

automated data file: a set of data to be processed automatically;

EEA State: a Member State of the European Union and another State party to the Agreement on the European Economic Area and a State whose nationals enjoy the same legal status as nationals of a State party to the Agreement on the European Economic Area under an international treaty concluded between the European Union and its Member States and a State not party to the Agreement on the European Economic Area;

data subject: any specified natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;

User: any natural person who registers or purchases without registering on the MÜHASZ website;

automated processing: includes the following operations, when carried out wholly or partly by automated means: storage of data, logical or arithmetical operations on data, alteration, erasure, retrieval and dissemination of data;

third country: any State which is not an EEA State;

third person: a natural or legal person or an unincorporated body other than the data subject, the controller or the processor;

consent: a freely given and freely given indication of the data subject’s wishes, based on adequate information, by which he or she signifies his or her unambiguous agreement to the processing of personal data relating to him or her, whether in full or in part;

disclosure: making personal data available to any person;

personal data: data which can be associated with the data subject, in particular his or her name, an identifier and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the conclusions which can be drawn from the data concerning him or her;

objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data.

  1. General rules on data processing
  2. Personal data may be processed if the data subject consents to it or if it is ordered by law or, on the basis of a law, by a local government decree within the scope specified therein, for a purpose in the public interest. The legal basis for data processing is the voluntary consent of the data subject pursuant to Section 5 (1) a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Act on the Freedom of Information) and Section 13/A of Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services.
  3. The consent of the legal representative of a minor over the age of 16 is not required for the validity of the declaration of consent of the minor concerned.
  4. If the personal data have been collected with the consent of the data subject, the controller shall, unless otherwise provided by law,

– for the performance of a legal obligation to which he is subject, or

– for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject’s consent.

  1. Personal data may only be processed for specified purposes, for the exercise of a right or the performance of an obligation. The processing must at all stages be compatible with the purpose of the processing and the collection and processing of the data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose. The data processing of MÜHASZ services is based on voluntary consent, however, in certain cases, the processing, storage and transmission of some of the data provided is required by law. MÜHASZ does not use personal data for purposes other than those stated.
  2. Webshop service
  3. Legal basis for data processing

– The processing of data is based on the voluntary, duly informed declaration of the Users, which is necessary for the fulfilment of orders placed in the Webshop. The declaration is given by the User at the time of ordering (or registration – see point 3). The declaration contains the User’s declaration that he/she has read, understood and accepted these Terms and Conditions and his/her express consent to the use of his/her personal data provided during the use of the Webshop as described in these Terms and Conditions. The legal basis for the processing of data is the voluntary consent of the data subject pursuant to Article 5 (1) (a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, or the processing is necessary for the performance of the contract [GDPR 6. Article 6 (1) (b) of the GDPR], as well as the description, quantity and purchase price of the purchased products, subject to Article 169 (2) of Act C of 2000 on Accounting (Accounting Act).

  1. The purpose of data processing

– The purpose of data processing is to ensure the fulfilment of orders placed in the Webshop, to document the purchase and payment, and to fulfil the accounting obligation. The purpose of the data processing is also to identify the User as a User, to deliver the ordered product, to send notifications in connection with the order, to issue invoices, to process payments, to register Users, to distinguish them from each other, to maintain contact with Users and to ensure more targeted user service. Data processed: surname and first name, telephone number, e-mail address, password provided during pre-registration, delivery address in case of a delivery request, billing address provided for invoicing, number, date and time of the transaction, receipt content, name, address and tax number in case of VAT invoices. Duration of data processing for the data specified in paragraph 169§ (2) of the Accounting Act: 8 years.

  1. Registration

– During the pre-registration process, the User’s provision of a password enables the User to enter his/her data only once for purchases in the Webshop by creating a user account, and not for each purchase, and to track his/her purchases with his/her registration profile. The data provided will be processed by MÜHASZ until the User prohibits the use of the data for such purposes by unsubscribing, or, if the User profile becomes inactive, for 5 years from the last User login.

– The data that may be provided at the User’s choice are e-mail address, telephone number, name, place of residence/residence, which faculty of the BME the User studies at, billing address, delivery address, e-mail address and password for logging in.

  1. 4. Electronic newsletter

– If the User subscribes to the newsletter, MÜHASZ may send him/her a newsletter at a frequency (but no more than twice a week) at its own discretion, unless the User requests a more frequent newsletter.  MÜHASZ shall, as far as possible, endeavour to offer MÜHASZ services and products to the readers of the newsletter in a personalised manner, according to the place of residence and the probable interests of the User, based on previous purchases and other data provided. By subscribing to the newsletter, the User consents to the processing of the personal data required for this purpose by the Data Controller.

– The purpose of the processing is to send e-mail newsletters containing advertising to interested parties. Legal basis for processing: voluntary consent of the data subject and Article 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities. The scope of the data processed: name, e-mail address, place of residence, data listed at registration, data on previous purchases, data provided by the User.

– Duration of data processing: until consent is withdrawn. You can unsubscribe from the newsletter by clicking on the Unsubscribe link at the bottom of the newsletter. Personal data will be deleted within 10 working days of receipt of the request.

  1. Cookie

– MÜHASZ places a small data packet (so-called “cookie”) on the User’s computer in order to provide a personalized service. The purpose of the cookie is to ensure the best possible functioning of the site in order to enhance the user experience. By visiting the Webshop and using some of its functions, the User gives his/her consent to the storage of these cookies on the User’s computer and to their access by MÜHASZ. The User may set and block cookie-related activities through the browser program, with the understanding that in the latter case, without the use of cookies, the User may not be able to use all the services of the Webshop.

– The legal basis for the processing of functional cookies, which are essential for the operation of the Webshop, is Article 6(1)(f) GDPR, while cookies for statistical and marketing purposes are processed by MÜHASZ with the express consent of the website visitor (Article 6(1)(a) GDPR).

  1. Statistical data

– The data processed may be used by the MÜHASZ for statistical purposes. The use of the data in aggregated statistical form shall not include the name or any other identifiable data of the User concerned.

  1. Data technically recorded during the operation of the system

– The data technically recorded in the course of the operation of the system are the data of the User’s logon computer, which are generated during the use of the service and which are recorded by the data controller’s system as an automatic result of technical processes. The data that are automatically recorded are automatically logged by the system at the time of log-in or log-out, without any specific declaration or action by the User. These data may not be linked to other personal data of the User, except in cases required by law. The data may only be accessed by the Data Controller. The purpose of the automatically recorded data is to ensure the provision of the services available through the Data Controller’s Internet pages, the display of personalised content and advertisements, the production of statistics, the technical development of the IT system, the protection of Users’ rights, and the general analysis of user habits. The data made available by the Users when using the service may be used by the Data Controller to form User groups and to display targeted content and/or advertisements on the Data Controller’s websites to the User groups.

The data that are automatically, technically recorded during the operation of the system are stored in the system for a period of time from the moment they are generated that is reasonable for the operation of the system. MÜHASZ ensures that these automatically recorded data will not be linked to other personal data of the user, except in cases required by law.

  1. MÜHASZ website

– The html code of the Webshop contains links from and to external servers independent of MÜHASZ. The providers of these links are able to collect User data due to the direct connection to their server.

An external service provider assists in the independent measurement of website traffic and other web analytics data (Google Analytics). The data controller can provide detailed information on the management of the measurement data, contact:

  1. Other data processing

– MÜHASZ will provide information on data processing not listed in this information notice at the time of data collection. We inform our visitors that the Data Controller may be contacted by courts, prosecutors, investigating authorities, law enforcement authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information (NAIH) or other bodies authorised by law to provide information, data or documents. If the court or authority has indicated the precise purpose and scope of the data, the MÜHASZ shall disclose personal data to the courts or authorities only to the extent and to the extent strictly necessary for the purpose of the request.

MÜHASZ does not control the personal data provided to it by the data subject. Only the data subject providing the data is responsible for the correctness of the data provided. By providing an e-mail address, each User also assumes responsibility for the fact that he/she is the only one to use the service from the e-mail address provided. With regard to this assumption of responsibility, any liability for accessing the service from a given e-mail address shall be borne solely by the User who registered the e-mail address. If the User does not provide his/her own personal data, he/she is obliged to obtain the consent of the data subject. The right to access personal data is reserved to employees or other persons having an employment relationship with MÜHASZ (e.g. courier service staff involved in the delivery of products – if the delivery has been requested by the User) and to Data Processors.

  1. Transfer of data, identification of Data Processors

– MÜHASZ will only transfer personal data to third parties with the prior and express consent of the User. This does not apply to any transfers required by law or to the data processors indicated in this document.

– By using the service, the User consents to the transfer of the data by MÜHASZ to the following partners:

  1. to the provider of the technical conditions for invoicing, as Data Processor, which is: számlá, operator: Kft. (tax number: 13421739-2-13, company registration number: 13-09-101824, registered office: 2000 Szentendre, Táltos u. 22/b).
  2. The scope of the data varies from one financial institution to another. The personal data provided on the financial institution’s own data request pages will not be disclosed to MÜHASZ.

3.MÜHASZ, as Data Controller, is entitled and obliged to transmit to the competent authorities any personal data at its disposal and stored by it in accordance with the law, which it is obliged to transmit by law or by a final court decision or a final decision of a public authority. Such transfers and the consequences thereof shall not be the responsibility of the MÜHASZ.

  1. Data security measures

– MÜHASZ shall exercise the utmost care in the processing and storage of personal data. In the area of information security, MÜHASZ uses the most effective and up-to-date tools and procedures reasonably available and follows the principles set out below.

– The Controller shall design and implement data processing operations in such a way as to ensure the protection of the privacy of data subjects.

– The data controller shall ensure the security of the data and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the provisions of the GDPR and other data protection and confidentiality rules.

– In particular, appropriate measures must be taken to protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or damage and against inaccessibility resulting from changes in the technology used.

– In order to protect the data files managed electronically in the different registers, appropriate technical arrangements should be in place to ensure that data stored in the registers cannot be directly linked and attributed to the data subject, except where permitted by law.

– When defining and applying data security measures, the controller should take into account the state of the art. The choice between several possible processing solutions should be made which ensure a higher level of protection of personal data, unless this would impose a disproportionate burden on the controller.

– The MÜHASZ shall select and operate the IT tools used for the processing of personal data in the provision of the service in such a way that the data processed:

– is accessible to authorised persons (availability);

– its authenticity and authenticity are ensured (authenticity of processing);

– its integrity can be verified (data integrity);

– is protected against unauthorised access (data confidentiality).

MÜHASZ ensures the security of data processing by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with the processing.

– In the course of processing, MÜHASZ shall keep

– confidentiality: it protects the information so that only authorised persons have access to it;

– integrity: to protect the accuracy and completeness of the information and the method of processing;

– availability: it ensures that when the authorised user needs it, he has effective access to the information and the means to obtain it.

– The IT system and the network of the OHIM are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flooding, as well as computer viruses, computer intrusions and attacks leading to denial of service. MÜHASZ ensures security through server-level and application-level protection procedures

  1. Rights of data subjects and their enforcement, objection to processing of personal data, judicial redress and compensation
  2. Changes to certain personal data may also be made by modifying the personal profile page. Once a request for deletion or modification of personal data has been fulfilled, the previous (deleted) data can no longer be restored.

Users may request information about the processing of their personal data. A request for information sent by e-mail shall be considered as authentic by the MÜHASZ only if it is sent from the registered e-mail address of the User. At the request of the data subject, the controller shall provide information on the data of the data subject processed by the controller or by a data processor on its behalf, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and the activities of the data processor in relation to the processing, and, in the case of transfer of the data subject’s personal data, the legal basis and the recipient of the transfer. The request for information should be sent by e-mail to The MÜHASZ shall provide the information in writing in an intelligible form, at the request of the data subject, within the shortest possible time from the date of the request, but not later than 30 days. The information described above shall be provided free of charge if the person requesting the information has not yet submitted a request for information to the controller for the same set of data in the current year. In other cases, a fee may be charged. The fee already paid shall be refunded if the data have been unlawfully processed or if the request for information has led to a rectification. The data controller may refuse to provide the data subject with information only in the cases provided for in the General Data Protection Regulation. In the event of refusal to provide information, the controller shall inform the data subject in writing of the provision of the Act on the basis of which the refusal was made. In the event of refusal to provide information, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority). The controller shall notify the Authority of any refused requests annually by 31 January of the year following the year in question.

  1. The data subject may request the controller to rectify his/her personal data and to erase or block his/her personal data, except for mandatory processing.
  2. The controller shall keep a register of transfers for the purpose of monitoring the lawfulness of the transfer and informing the data subject, which shall include the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.

If the personal data is not accurate and the accurate personal data is available to the controller, the controller shall rectify the personal data.

  1. The personal data shall be deleted if:

– the processing is unlawful;

– the data subject requests it, as provided for in the GDPR;

– it is incomplete or incorrect – and this situation cannot be lawfully remedied – provided that erasure is not precluded by law;

– the purpose of the processing has ceased to exist or the statutory time limit for the storage of the data has expired;

– it has been ordered by a court or the Authority.

  1. Personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data persists.
  2. The rectification, blocking, marking and erasure shall be notified to the data subject and to all those to whom the data were previously disclosed for processing. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purposes of the processing. If the controller does not comply with the data subject’s request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, provide in writing the factual and legal reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.
  3. The data subject must be informed before the processing starts whether the processing is based on consent or whether it is mandatory.
  4. 5(6) of the Act, and who may access the data. The information shall also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the information referred to in the above paragraph.
  5. The data subject may object to the processing of his or her personal data,

– where the processing or transfer of the personal data is necessary solely for compliance with a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, except in the case of mandatory processing;

– where the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes; and

– in other cases specified by law.

  1. If the controller establishes that the data subject’s objection is justified, the controller shall terminate the processing, including further collection and further transmission, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data concerned by the objection have been previously disclosed and who are obliged to take measures to enforce the right to object.
  2. If the data subject disagrees with the decision of the controller or if the controller fails to comply with the time limit, the data subject may, within 30 days of the notification of the decision or the last day of the time limit, take the matter to court in the manner provided for in Article 23 of the Act.

If the data controller does not receive the data necessary to exercise the data subject’s rights because of the data subject’s objection, the data subject may, within 15 days of the notification, take legal action against the controller in order to obtain the data in the manner provided for in Article 23 of the GDPR. The controller may also bring legal proceedings against the data subject.

If the controller fails to give notice, the data subject may request the controller to provide information on the circumstances surrounding the failure to provide the data, which information the controller shall provide within 8 days of the delivery of the data subject’s request. In the event of a request for clarification, the data subject may bring an action against the controller before a court within 15 days of the date on which the clarification was provided, but no later than the time limit for the provision of clarification. The controller may also bring legal proceedings against the data subject.

The controller may not erase the data of the data subject if the processing is ordered by law. However, the data may not be transferred to the data recipient if the controller has consented to the objection or the court has ruled that the objection is justified.

  1. The court shall rule on the case out of turn. The controller shall prove that the processing is in compliance with the law.

The tribunal has jurisdiction to hear the case. The action may also be brought, at the option of the data subject, before the court for the place where the data subject resides or is domiciled. A person who does not otherwise have legal capacity may be a party to the proceedings. The Authority may intervene in the proceedings in order to ensure that the person concerned is successful. If the court upholds the application, the controller shall be required to provide information, rectify, block or erase the data, annul the decision taken by automated processing, take account of the data subject’s right to object

The court may order the publication of its judgment, with the publication of the controller’s identification data, if the interests of data protection and the rights of a larger number of data subjects protected by this Act so require.

  1. The controller shall compensate any damage caused to another party by unlawful processing of the data subject’s data or by breach of data security requirements. The controller shall also be liable to the data subject for any damage caused by the processor. The controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of the processing. No compensation shall be payable in so far as the damage resulted from the intentional or grossly negligent conduct of the data subject.


– If you have any questions or comments, please contact MÜHASZ at The User may exercise his/her legal remedies before the courts in accordance with the Civil Code and the Civil Code. Legal remedies and complaints may be lodged with the National Authority for Data Protection and Freedom of Information:


Name: National Authority for Data Protection and Freedom of Information

Address. 1055 Budapest, Falk Miksa str. 9-11.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410