Privacy Notice for Mito Weekly
Swipe down for the privacy policy of Mito Group for our Mito Weekly.
Swipe down for the privacy policy of Mito Group for our Mito Weekly.

Mito Group Zrt. (registered seat: H-1053 Budapest, Károlyi utca 9., Hungary; company nr.: 01-10-140905; hereinafter: Data Controller) considers with the utmost of importance to respect the right of information self-determination of its partners and customers. The Data Controller processes personal data confidentially, in accordance with applicable European Union and domestic legislation, as well as with the relevant data protection (authority) practice, and takes all security and organizational measures that guarantee the security, confidentiality, integrity and availability of the data.
Considering the relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) and act CXII of 2011 on the right to information self-determination and freedom of information (hereinafter: Infotv.) Data Controller hereby publishes the following privacy notice (hereinafter: Privacy Notice) for the protection of personal data.
The present Privacy Notice is effective from July 8, 2026 until withdrawn, in relation to the processing of the personal data of those involved in the activities carried out by the Data Controller.
The Data Controller reserves the right to unilaterally amend this Privacy Notice at any time. If the present Privacy Notice is amended, the Data Controller will inform the data subjects accordingly.
SUBJECT OF DATA PROCESSING
Based on your prior, clear and express consent, the Data Controller sends newsletters to the data subject in the form of e-mail with a collection of articles on the recent news and curiosities of the advertising industry.
The data subject can subscribe to the newsletter in electronic form on the website of the Data Controller, http://mito.hu/weekly the condition for which is to read the present Privacy Notice.
The data subject is responsible for the accuracy of the data provided; subscriptions containing incorrect or false data will be deleted upon detection.
The Data Controller ensures that the data subject can unsubscribe from the newsletters free of charge at any time.
The Data Controller processes personal data as follows:
Scope of processed personal data: full name and email address
Categories of data subjects: data subjects who subscribe to the newsletter
Source of processed personal data: the data subject.
Purpose of data processing: newsletter sending.
Legal basis: the consent of the data subject based on Article 6 (1) point a) of the GDPR.
Where processing is necessary for the establishment, exercise or defence of legal claims, the legal basis is the legitimate interest of the Data Controller pursuant to Article 6(1)(f) of the GDPR.
Duration of data processing: the Data Controller processes the personal data until the data subject withdraws their consent (i.e. unsubscribes from the newsletter). Following the withdrawal of consent, the data subject’s personal data will be deleted without undue delay, save where further processing is necessary for the establishment, exercise or defence of legal claims. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
Access: the Data Controller primarily has access to the processed personal data.
Data transfer: personal data will only be forwarded to the listed data processors, or the possible enforcement of rights or claims, by court, prosecutor's office, investigative authority, violation authority, public administrative authority, the National Authority for Data Protection and Freedom of Information, or others authorized by law.
Method of data processing: The Data Controller processes the data subject's personal data electronically.
Profiling: the Data Controller does not make a decision based solely on automated processing in connection with the data subject, nor does it to create a profile of the data subject based on the available personal data.
Data subject rights: in connection with the processing, data subjects may exercise their rights to withdraw consent, access, rectification, deletion, restriction of data processing, and data portability.
From time to time, the Data Controller invites newsletter subscribers to complete a questionnaire in order to better understand readers’ preferences and to improve the content of the newsletter.
The questionnaire is anonymous: the Data Controller does not request the respondent’s name, e-mail address or any other identifying information, and responses cannot be linked to individual subscribers. Responses are analysed exclusively in an aggregated, statistical form, and no conclusions concerning identifiable individuals are drawn from them. The Data Controller does not carry out automated decision-making or profiling in connection with the questionnaire.
The questionnaire contains free-text fields. Respondents are kindly asked not to enter any personal data (their own or anyone else’s) in these fields. If personal data is nevertheless provided, the Data Controller will delete it without undue delay upon becoming aware of it, without analysing or otherwise using it. The legal basis for this limited processing (i.e. deletion of incidentally provided personal data) is the legitimate interest of the Data Controller in enforcing the principle of data minimisation, pursuant to Article 6(1)(f) of the GDPR.
The questionnaire is hosted by Google Forms, a service provided by Google Ireland Limited. Google may independently collect technical data (such as cookie data) in connection with the use of the form, as a separate data controller. For information on Google’s own data processing, please refer to Google’s privacy policy at https://policies.google.com/privacy.
DATA PROCESSORS
Name of company: Sinch AB
Registered office: Lindhagensgatan 112, 112 51 Stockholm, Sweden
Privacy policy: https://www.mailjet.com/legal/privacy-policy/
Activity: data storage, compilation of newsletters, monitoring, compilation of statistics
Name of company: Google Ireland Limited
Registered office: Gordon House, Barrow Street, Dublin 4, Ireland
Privacy policy: https://policies.google.com/privacy
Activity: hosting of the subscriber questionnaire (Google Forms), data storage
Where personal data is stored or otherwise processed outside the European Economic Area by the Data Controller's data processors (e.g. on servers located in a third country), the Data Controller ensures an adequate level of protection in accordance with the GDPR. Where the third country or the recipient is covered by an adequacy decision of the European Commission (such as the EU–U.S. Data Privacy Framework), the transfer takes place on that basis. In the absence of an adequacy decision, the Data Controller ensures appropriate safeguards, in particular through the Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by appropriate technical and organisational measures.
RIGHTS OF DATA SUBJECT
Corresponding to applicable data protection laws, you – based on the given circumstances – shall have the:
Right of access:
The data subject has the right to receive feedback from the data controller as to whether his personal data is being processed, and if such data processing is underway, he is entitled to receive access to the personal data. The Data Controller provides the Data Subject with a copy of the personal data that is the subject of data processing. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject submitted the request electronically, the information must be provided in a widely used electronic format, unless the Data Subject requests otherwise.
Right to rectification:
The Data Subject has the right to have inaccurate personal data corrected without undue delay upon request by the Data Controller.
Right to erasure:
The data subject has the right to have the data controller delete the personal data concerning him without undue delay at his request, and the data controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:
otherwise processed;
Right to restrict data processing:
The Data Subject is entitled to request that the Data Controller to restrict data processing if
one of the following conditions is met:
If data processing is subject to restrictions, such personal data may only be processed with the consent of the Data Subject, except for storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the European Union or a member state.
Right to data portability:
The Data Subject is also entitled to receive the personal data relating to him provided to the Data Controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another data controller without being hindered by the data controller, to which the personal data has been made available, if: (i) the data processing is based on consent according to point a) of Article 6 (1) of the General Data Protection Regulation or point a) of Article 9 (2) of the General Data Protection Regulation, or on a contract according to Article 6 (1) point a) of the General Data Protection Regulation and (ii) data processing is performed in an automated manner.
Right to object:
The Data Subject has the right to object at any time to the processing of his personal data based on points e) or f) of Article 6 (1), including profiling based on the aforementioned provisions, at any time for reasons related to his own situation. In this case, the data controller may no longer process the personal data, unless the Data Controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are necessary for the presentation, enforcement or defense of legal claims are connected.
Right to lodge a complaint:
The Data Subject has the right to lodge a complaint with the supervisory authority, in particular in the Member State of their habitual residence, place of work or the place of the alleged infringement, if the Data Subject considers that the processing of their personal data infringes the GDPR. In Hungary, the competent supervisory authority is the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH).
General rules for the exercise of the rights of the data subjects:
The Data Controller shall inform the Data Subject without undue delay, but no later than one month from the receipt of the request, of the measures taken as a result of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The Data Controller shall inform the Data Subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. If the Data Subject submitted the request electronically, the information must be provided electronically, if possible, unless the Data Subject requests otherwise.
The Data Controller provides the Data Subject with information and measures free of charge. If the Data Subject’s request is clearly unfounded or - especially due to its repetitive nature - excessive, the Data Controller, taking into account the administrative costs associated with providing the requested information or communication or taking the requested action:
It is the responsibility of the Data Controller to prove that the request is clearly unfounded or excessive.
If the Data Controller has reasonable doubts about the identity of the natural person who submitted the request, it may request the provision of additional information necessary to confirm the Data Subject’s identity.
DATA SECURITY
The Data Controller and the data processor are entitled to access the personal data of the data subject only to the extent necessary for the performance of their tasks.
In order to ensure data security, the Data Controller assesses and records all data processing activities carried out by it.
Based on the records of data processing activities, the Data Controller performs a risk analysis in order to assess the conditions under which each data processing is carried out, as well as which risk factors during data processing may cause harm and possible data protection incidents. The risk analysis must be performed on the basis of the actual data processing activity. The purpose of the risk analysis is to define security rules and measures that, in line with the performance of the Data Controller's activities, effectively ensure the adequate protection of personal data.
Taking into account the nature, scope, circumstances and purposes of data processing, as well as the varying probability and severity of the risk to the rights and freedoms of natural persons, the Data Controller implements appropriate technical and organizational measures in order to ensure and prove that the processing of personal data is in accordance with GDPR.
Including, but not limited to, where appropriate:
When determining the appropriate level of security, it is necessary to specifically take into account the risks arising from data processing, which in particular arise from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
The Data Controller implements appropriate technical and organizational measures to ensure that, by default, only such personal data is processed that is necessary for the given specific data processing purpose. This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their accessibility. In particular, these measures must ensure that personal data cannot by default become accessible to an indefinite number of persons without the intervention of the natural person. In case of damage or destruction of personal data, attempts must be made to replace the damaged data from other available data sources to the extent possible. The fact of the replacement must be indicated on the replaced data.
The Data Controller protects its internal network with multi-level firewall protection. A hardware firewall (border protection device) is always located at the entry points of the used public networks. The Data Controller stores the data redundantly - i.e. in several places - to protect them from destruction, loss, damage, and unlawful destruction resulting from the failure of the IT device.
It protects internal networks from external attacks with multi-level, active, complex protection against malicious codes (e.g. virus protection).
The Data Controller does everything with the utmost care that can be expected of him to ensure that his IT tools and software continuously comply with the technological solutions generally accepted in market operation.
LEGAL REMEDIES
The Data Subject may at any time contact the Data Controller at adatvedelem@mito.hu. In the event of a violation of their rights, the Data Subject may apply to court against the Data Controller. The court acts out of sequence in the case. The Data Controller is obliged to prove that the data processing complies with the provisions of the law. The adjudication of the lawsuit falls within the jurisdiction of the court, in the capital, the Metropolitan Court. The lawsuit can also be initiated before the court of domicile or residence of the Data Subject.
The Data Controller is obliged to compensate the damage caused to others by the unlawful handling of the Data Subject’s data or by violating the requirements of data security. The Data Controller is released from liability if it proves that the damage was caused by an unavoidable cause outside the scope of data processing. There is no need to compensate the damage if it resulted from the intentional or grossly negligent behavior of the injured party.
In the event of a complaint regarding the handling of his personal data, the Data Subject may also contact the National Authority for Data Protection and Freedom of Information (postal address: 1363 Budapest, Pf.: 9., address: H-1055 Budapest, Falk Miksa utca 9–11., Hungary, Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410; E-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).