Privacy Notice on the personal data processing operations of DCS Juicer Limited Liability Company Short overview This notice describes the personal data processing operations related to the operation of DCS Juicer Kft., its websites, partner and employment relationships, EV charging point activities, complaint handling, invoicing and video surveillance. For each purpose, the notice sets out the purpose of processing, the legal basis, the categories of data processed, the retention period and the recipients who may access or receive the personal data. - Controller and principles: Chapters 1-4. - Corporate, partner and employment-related processing operations: Chapter 5. - Website, applications, login and online interfaces: Chapter 6. - EV charging point data processing: Chapter 7. - Video surveillance: Chapter 8. - Data transfers, data subject rights, complaint handling and data security: Chapters 9-13. Introduction This notice has been prepared on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (GDPR), Act CXII of 2011 on informational self-determination and freedom of information, Act V of 2013 on the Hungarian Civil Code and other applicable Hungarian laws. Data processing takes place in particular in connection with contract conclusion, business communication, management of subcontractor and employee relationships, invoicing, website operation, use of login or application interfaces, EV charging point administration, complaint handling, fault reporting, establishment or enforcement of legal claims, compliance with legal obligations and video surveillance. The Controller does not use profiling or solely automated decision-making that would produce legal effects concerning the data subject or similarly significantly affect the data subject. 1. Controller identification details - Name: DCS Juicer Korlátolt Felelősségű Társaság. - Short name: DCS Juicer Kft. - Registered office and postal address: 1089 Budapest, Bíró Lajos u. 61. AS. 1. - Company registration number: 01-09-406925. - Tax number: 32106363-2-42. - E-mail: info@dcsjuicer.com. - Telephone: +36 30 254 0606. - Website: https://dcsjuicer.com/. 2. Principles for processing personal data The Controller processes personal data lawfully, fairly and in a transparent manner for data subjects. - Purpose limitation: personal data are processed only for specified, explicit and lawful purposes. - Data minimisation: only data necessary for the given purpose are processed. - Accuracy: inaccurate personal data are corrected or deleted where appropriate. - Storage limitation: data are retained only for the period necessary to fulfil the purpose, comply with a legal obligation or establish, exercise or defend legal claims. - Integrity and confidentiality: data are protected by appropriate technical and organisational measures. - Accountability: the lawfulness of the processing operations is ensured in a demonstrable manner. The Controller primarily receives personal data directly from the data subject. In certain processing operations, personal data may also come from a contractual partner, an authority, an IT system, a bank, an invoicing service provider or another contributor. 3. Key definitions Personal data: any information relating to an identified or identifiable natural person, such as a name, e-mail address, telephone number, identifier, location data or online identifier. Data subject: the natural person whose personal data are processed by the Controller. Controller: the organisation that determines the purposes and means of the processing of personal data. Processor: the organisation or person that processes personal data on behalf of the Controller. Consent: a freely given, specific, informed and unambiguous statement or clear affirmative action by the data subject. Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data processed. 4. Order of processing The Controller processes personal data relating to partners, staff members, customers, subcontractors, enquirers, website visitors, persons contacting the EV charging point or other data subjects that become known during its activities in accordance with this notice. Personal data are processed only to the extent necessary to fulfil the relevant processing purpose. Processing ends when its purpose has been fulfilled or ceases to exist, unless further retention is required by law or is necessary for the establishment, exercise or defence of a legal claim. 5. General corporate, partner and employment-related processing operations The following processing operations are connected to the general operation of DCS Juicer Kft., its partner relationships, employment-related tasks and legal obligations. Purpose of processing: contract conclusion and business communication with partners - Legal basis: steps prior to entering into a contract or performance of a contract; for contact person data, the legitimate interest of the Controller in maintaining the business relationship; for accounting and tax data, compliance with a legal obligation. - Data processed: for a sole proprietor, name, telephone number, e-mail address, home address or business premises, tax number, contractual and invoicing data; for a partner that is not a natural person, the contact person's name, position, telephone number and e-mail address. - Retention period: for the period necessary for the performance of the contract; for accounting documents, until the retention period prescribed by law; in the case of a legal claim, for the period necessary to establish, exercise or defend the claim. - Recipients and persons authorised to access the data: the Controller's manager and staff performing administrative tasks, accountant, financial service provider, legal contributor and, where required by law, an authority. Purpose of processing: handling job applications and applications - Legal basis: steps prior to establishing an employment relationship and the data subject's consent if the Controller also retains the application material for future contact. - Data processed: name, contact details, CV, data on education and professional experience, photograph, other data provided in the application and employer notes related to the selection process. - Retention period: until the selection process is closed; in the case of separate consent, until the consent is withdrawn, but no longer than the period specified in the consent. - Recipients and persons authorised to access the data: the manager authorised to exercise employer's rights and staff involved in the selection process. Purpose of processing: occupational health fitness management - Legal basis: compliance with a legal obligation. - Data processed: the fact of fitness for work and data related to the fitness examination that may be processed by the employer. - Retention period: for the duration of the employment relationship and according to the applicable statutory retention period. - Recipients and persons authorised to access the data: the manager authorised to exercise employer's rights, staff performing employment administration tasks and the occupational health service provider. Purpose of processing: employment and labour administration - Legal basis: compliance with a legal obligation, performance of an employment contract and, where justified, the Controller's legitimate interest. - Data processed: employee's name, birth name, place and date of birth, mother's name, address, nationality, tax identification number, social security number, bank account number, employment data, position, working time, wage and benefit data, documents certifying education, fitness certificate, family or allowance-related data required by law and other data prescribed by law. - Retention period: during the employment relationship and thereafter until the retention periods prescribed by employment, tax, accounting and social security laws. - Recipients and persons authorised to access the data: the Controller, accountant, payroll or employment administration contributor, financial service provider and, where required by law, an authority. Purpose of processing: invoicing and accounting records - Legal basis: compliance with a legal obligation. - Data processed: billing name, home address or registered office, tax number, invoice contents, payment data and bank data. - Retention period: the retention period required by accounting and tax laws. - Recipients and persons authorised to access the data: the Controller, accountant, invoicing service provider, financial service provider and the Hungarian Tax and Customs Administration (NAV). Purpose of processing: complaint handling - Legal basis: compliance with a legal obligation and the Controller's legitimate interest in investigating complaints and managing legal claims. - Data processed: complainant's name, contact details, content of the complaint, information voluntarily provided in the complaint, related documents, documents of the complaint investigation and the Controller's response. - Retention period: for the time necessary to investigate the complaint and for the applicable statutory or limitation period. - Recipients and persons authorised to access the data: the Controller, legal contributor and, in the case of an audit or procedure, an authority or court. 6. Website, login and online interfaces This chapter applies to data processing related to the dcsjuicer.com website, application and login interfaces and online contact. Purpose of processing: viewing the website and operating it securely - Data subject: the person visiting the dcsjuicer.com website or any of its subpages. - Legal basis: the Controller's legitimate interest in secure website operation, troubleshooting, IT security and the prevention of misuse. - Data processed: technical log data, in particular IP address, browser and device data, requested page address, time, referring page, service status or error code. - Retention period: for the period necessary for the operational and IT security purpose. - Recipients and persons authorised to access the data: the Controller, hosting provider and IT operator. IP address An IP address is a technical identifier that may identify a device or connection during internet access. Web servers may process IP addresses during site use, troubleshooting and security logging. The Controller does not use these data for marketing profiling. Cookies During operation of the website, cookies or similar technologies may be used. These may support website operation, remembering user settings, troubleshooting or statistical purposes. The user may allow, restrict or delete cookies in the browser settings. Refusing certain cookies may affect the operation of some website functions. Purpose of processing: use of application or partner online interfaces - Legal basis: steps prior to entering into a contract or performance of a contract; where applicable, the data subject's consent; for accounting or tax data, compliance with a legal obligation. - Data processed: name, e-mail address, telephone number, sole proprietor or company data, home address or business premises, tax number, username and data voluntarily provided for administration. - Retention period: until the purpose is fulfilled, until the contractual relationship ends, in the case of consent-based processing until consent is withdrawn, or for the statutory retention period where a legal retention obligation applies. - Recipients and persons authorised to access the data: the Controller, IT operator and, where justified, accountant or legal contributor. Purpose of processing: use of the login interface for contracted subcontractor partners - Legal basis: performance of a contract and the Controller's legitimate interest in operating the system securely. - Data processed: e-mail address, login identifier, authorisation data and technical log data. - Retention period: for the duration of the contractual relationship and, for security logs, for the period necessary for the operational purpose. - Recipients and persons authorised to access the data: the Controller and IT operator. 7. EV charging point data processing This chapter applies to the personal data processing operations connected to the electric vehicle charging point of DCS Juicer Kft. in front of 61 Bíró Lajos Street, Budapest District VIII. Scope of EV charging point data processing - Viewing the website related to the EV charging point. - Contact and administration related to the EV charging point. - Fault reporting and technical coordination. - Complaint handling. - Use of trial operation or public charging service. - Handling charging and technical events. - Payment, invoicing and management of legal claims. Purpose of processing: viewing and operating the EV website - Legal basis: the Controller's legitimate interest in secure website operation, troubleshooting and prevention of misuse. - Data processed: technical log data, in particular IP address, browser data, requested page, time, service status or error code. - Retention period: for the period necessary for the operational and IT security purpose. - Recipients and persons authorised to access the data: the Controller, hosting provider and IT operator. Purpose of processing: EV contact and administration - Legal basis: the Controller's legitimate interest in handling enquiries; steps prior to entering into a contract or performance of a contract where the enquiry relates to a contractual relationship. - Data processed: name, e-mail address, telephone number, message content and data necessary for administration. - Retention period: until the matter is closed and for the period necessary to establish, exercise or defend legal claims. - Recipients and persons authorised to access the data: the Controller, IT operator and, where justified, legal or technical contributor. Purpose of processing: EV fault reporting - Legal basis: the Controller's legitimate interest in ensuring safe operation, troubleshooting and service quality of the EV charging point. - Data processed: reporter's name and contact details, description of the fault, location, time, charger identifier, photograph or other voluntarily provided information. - Retention period: until the fault is closed and for the period necessary to establish, exercise or defend legal claims. - Recipients and persons authorised to access the data: the Controller, IT operator, charging point maintenance provider or technical service partner. Purpose of processing: handling EV charging events - Legal basis: steps prior to entering into a contract or performance of a contract; the Controller's legitimate interest in settlement, technical control, troubleshooting and handling disputed matters. - Data processed: charging event identifier, charger and connector data, start and end time, amount of energy charged, status, error message, access identifier and data necessary for fee calculation. - Retention period: for the period necessary to perform the charging service, settlement, complaint handling, establishment, exercise or defence of legal claims or compliance with legal obligations. - Recipients and persons authorised to access the data: the Controller, IT operator, charging point operation or maintenance partner, payment and invoicing contributors. Purpose of processing: EV payment and invoicing - Legal basis: performance of a contract and compliance with a legal obligation. - Data processed: billing name, billing address, tax number, fee, payment status, transaction identifier and invoice identifier. - Retention period: the retention period required by accounting and tax laws. - Recipients and persons authorised to access the data: the Controller, invoicing service provider, accountant, financial or payment service provider and NAV. - In the case of card payment, full bank card data are processed not by the Controller but by the payment service provider. Purpose of processing: EV technical logs - Legal basis: the Controller's legitimate interest in operation, IT and technical security, troubleshooting, maintenance and service quality control. - Data processed: technical data related to charger operation, statuses, error codes, communication logs and maintenance entries. These may qualify as personal data if they can be linked to a specific user or charging event. - Retention period: for the period necessary for the operational, troubleshooting, legal claim enforcement or statutory purpose. - Recipients and persons authorised to access the data: the Controller, IT operator, charging point maintenance provider or technical service partner. Recipients connected to EV data processing - Hosting provider and IT operator. - Invoicing, accounting and legal contributors. - Payment service provider. - Charging point maintenance provider or technical service partner. - Authority, municipality or court where required by law, procedure or a lawful request. Transfers to third countries The Controller does not transfer personal data related to the EV charging point to a third country or an international organisation. If such a transfer becomes necessary, the Controller will carry it out only with appropriate safeguards under the GDPR and after informing the data subjects in advance. 8. Video surveillance Purpose of processing: video surveillance - Legal basis: the Controller's legitimate interest in protecting human life and physical integrity, protecting property and preventing or investigating infringements. - Data processed: video recording and facial image. The camera does not record audio. - Retention period: 14 days, unless a longer retention period is justified due to an incident, legal claim or official procedure. - Recipients and persons authorised to access the data: the Controller, a person specifically authorised for this purpose and, in the case of a legal claim or official procedure, an authority or court. Additional information related to video surveillance The Controller does not use an electronic surveillance system in any room where surveillance could violate human dignity, in particular in changing rooms, showers, toilets, medical rooms or rooms designated for work breaks. The data storage unit of the cameras is physically protected and located in a locked room in a manner inaccessible to unauthorised persons. Viewing recordings is subject to authorisation. Access may be logged in a traceable manner. The use of the electronic surveillance system is indicated by a clearly visible warning sign in the affected area. A precise description of the area monitored by the cameras can be requested through the Controller's contact details. 9. Disclosure and transfer of personal data The Controller transfers personal data to third parties only if a legal basis exists and the transfer is necessary to fulfil the given purpose. In the case of paper-based transfer, the data are transferred by personal handover or by post specifically to the recipient. In the case of electronic transfer, the Controller uses password-protected attachments or other secure solutions where justified. The Controller may transfer personal data in particular to the following recipients: a.) Tax authority (NAV) - Contact details: 1082 Budapest, Baross u. 59.; telephone: +36 1 467 7100. - Legal basis of transfer: compliance with a legal obligation. - Purpose: compliance with tax and accounting obligations. - Data transferred: name, address, tax number, invoicing and tax data. b.) Financial service provider partners - Examples: CIB Bank Zrt., Wise SA, Gránit Bank. - Purpose: wage payment, financial settlement of invoices and handling payment transactions. - Legal basis: performance of a contract, compliance with a legal obligation or legitimate interest. - Categories of transferred data: name, bank account number, transaction or payment data. c.) Accounting service provider partner - Partner: Acounto Magyarország Kft. - Purpose: performance of accounting and related tasks. - Legal basis: compliance with a legal obligation, performance of a contract. - Categories of transferred data: invoicing, accounting and tax data. d.) GPS service provider partner - Partner: GPS-Server.net. - Purpose: supporting asset protection and vehicle operation. - Legal basis: the Controller's legitimate interest. - Categories of transferred data: vehicle data and, where applicable, location data connected to the movement of the vehicle driver. - Retention period: 30 days after the expiry or termination of the service contract, or for the necessary period in the case of a legal claim. e.) GPS support between vehicle drivers - Data subjects: subcontractors contracted as vehicle drivers. - Purpose: supporting more time- and cost-efficient transport. - Legal basis: the data subject's consent. - Categories of transferred data: transport route data through GPS technology. - Access period: until consent is withdrawn, but no longer than the termination of the data subject's subcontractor contract. 10. Rights of data subjects The data subject has the right to request information about the processing of his or her personal data, request access to personal data concerning him or her, and request rectification, deletion or restriction of processing. The data subject has the right to object to processing based on legitimate interest. In the case of consent-based processing, the data subject may withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out on the basis of consent before withdrawal. The data subject may have the right to data portability where processing is based on consent or contract and is carried out by automated means. Exercise of data subject rights: info@dcsjuicer.com The Controller responds to data subject requests without undue delay and no later than within one month. The deadline may be extended under the GDPR where justified by the complexity of the request or the number of requests. 11. Other provisions concerning data processing Termination of processing The Controller deletes personal data if - the processing purpose has ceased, - the processing of the data is unlawful, - the data subject has withdrawn consent and there is no other legal basis, - the data subject has successfully objected to the processing, - deletion is required by law. The Controller restricts processing where the conditions under the GDPR are met, in particular if the data subject contests the accuracy of the data, the processing is unlawful but the data subject opposes deletion, or the data are necessary for the establishment, exercise or defence of legal claims. 12. Handling privacy complaints The Controller treats as a complaint any written comment received from a natural person data subject that concerns data protection and in which the data subject raises a grievance in connection with the Controller's processing. A complaint or request to exercise data subject rights may be sent to the Controller's e-mail address or postal address. The complaint shall contain at least: - complainant's name, - contact details, - subject and description of the complaint, - documents or information related to the complaint, - complainant's signature in the case of a paper-based complaint. The Controller investigates the complaint and responds within the deadline prescribed by the applicable laws. Remedies The data subject may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information and may also turn to court in the event of an infringement of his or her rights. - Hungarian National Authority for Data Protection and Freedom of Information (NAIH). - Address: 1055 Budapest, Falk Miksa u. 9-11. - E-mail: ugyfelszolgalat@naih.hu. - Telephone: +36 1 391 1400. - Website: https://www.naih.hu/. 13. Data security and personal data breach The Controller protects data subjects' personal data by appropriate technical and organisational measures, in particular against unauthorised access, modification, transfer, disclosure, deletion, destruction, accidental loss or damage. Electronic data storage takes place in systems subject to access rights. Paper-based data storage takes place in a locked room or locked cabinet, inaccessible to unauthorised persons. In the event of a personal data breach, the Controller records the report and immediately starts the investigation. In the case of an incident affecting an IT system, the Controller informs the service providers responsible for operating the affected systems. Incident reporting: +36 30 254 0606 or info@dcsjuicer.com During the breach investigation, the Controller may record in particular the following: - the time and place of the breach, - the description, circumstances and effects of the breach, - the categories of data affected by the breach, - the categories of affected persons, - the measures taken to remedy the breach and mitigate damage. Where the statutory conditions are met, the Controller reports the personal data breach to NAIH within 72 hours. Data Protection Officer Based on the processing operations described in this notice, the Controller is not obliged to designate a data protection officer. For data protection matters, the Controller can be contacted at info@dcsjuicer.com. Modification of the notice The Controller may amend this notice in the event of changes in law, operation or services. The notice in force at any time is available at https://dcsjuicer.com/Adatkezeles/. Budapest, June 25, 2026. DCS Juicer Kft.