Privacy policy

Last update / Effective: 1 January 2024.

I. General provisions

Service provider details:

Name of the Service Provider: Honest Ltd.

Registered office and postal address: 1055 Budapest, Szent István krt. 11.

Registering authority: Metropolitan Court of Budapest as a Court of Justice

Company registration number: Cg. 01-09-569279

Tax number: 12253913-2-41

Your e-mail address:

Website address:,

Telephone customer service: +36-1-374 33 29

Complaints handling location and contact details: +36-1-374 33 29, on working days between 10.00 - 16.00

Store provider name: - externIT Kft 

Service address of the depot: Budapest, Városmajor u. 1c, 1122

I. Purpose of the Code:

This Policy aims to ensure that in all areas of the services provided by the Service Provider, all individuals, regardless of their nationality or place of residence, are guaranteed that their rights and fundamental freedoms, in particular their right to privacy, are respected when their personal data are processed by automated means (data protection).

II. Privacy Policy applied by the Company

1. The Service Provider's data management principles are in accordance with the applicable data protection legislation and the relevant provisions of the GDPR.

2. Information about the Service Provider's data management is always available in the footer of the home page of the website.

3. The Service Provider is entitled to. Data Processing Policy unilaterally change. The Privacy Policy the Service Provider will notify the User of any changes by publishing the changes on The entry into force of the amendments to the Privacy Policy the User will only be able to access the amended Privacy Policy when using the system. By using the Service after the effective date of the amendment, the User accepts the amended Privacy Policy.

4. The Service Provider is committed to the protection of the User's personal data, and considers it of the utmost importance to respect the right of informational self-determination of its customers. The Service Provider shall treat personal data confidentially and shall take all reasonable steps to protect the privacy of its customers. as best he can security, technical and organisational measures to guarantee the security of the data.

5. The Service Provider uses personal data that are indispensable for the use of its services on the basis of the consent of the data subjects and only for the purpose for which they are intended.

III. Legal basis for processing 

1. Personal data may be processed if the data subject consents to it or if it is ordered by law or, on the basis of a law, by a local government decree within the scope specified therein, for a purpose in the public interest. The legal basis for data processing is the voluntary consent of the data subject pursuant to Section 5 (1) a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Act on the Freedom of Information) and Section 13/A of Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services.

2. The User gives his/her consent to the processing of certain data by using the website, by registering or by voluntarily providing the data in question.

3. The purpose of the automatically recorded data is to compile statistics, to improve the technical development of the IT system and to protect the rights of the User.

4. The Service Provider does not verify the personal data provided to it. The person providing the data is solely responsible for the correctness of the data. Any User who provides an e-mail address shall also be responsible for the fact that he/she is the only one to use the service from the e-mail address provided. With regard to this assumption of responsibility, any liability for accessing the service from a given e-mail address rests solely with the User who provided the e-mail address. If the User does not provide his/her own personal data, he/she is obliged to obtain the consent of the data subject and to inform the Data Controller thereof.

IV. Purpose and scope of data processing, duration of data processing

1. Technical data
Data technically recorded during the operation of the system: the data of the User's computer logging in, which are generated during the use of the service and which are recorded by the Service Provider's system as an automatic result of technical processes. The automatically recorded data are automatically logged by the system on logging in or logging out, without any special declaration or action by the User. These data may not be linked to other personal user data, except in cases required by law. The data may only be accessed by the Service Provider.

2. cookie
During visits to the Website, the Service Provider sends one or more cookies - small files containing a series of characters - to the User's computer, which will allow the User's browser to be uniquely identified. These cookies are provided by Google and are used through the Google Adwords system. These cookies are only sent to the visitor's computer when visiting certain sub-pages, i.e. they only store the fact and time of the visit to the sub-page in question, and no other information. The use of the cookies sent in this way is as follows. The User may opt out of Google cookies by going to the Google advertising opt-out page.

External servers help to independently measure the website's traffic and other web analytics data (Google Analytics). The data controllers can provide detailed information on the handling of the measurement data to the User ( If the User does not want Google Analytics to measure the above data in the manner and for the purpose described, please install a browser add-on to block this.

3. Data processing in relation to newsletters and unsubscribe letters
On you can subscribe to a personalised newsletter. In connection with the use of this option, the user who subscribes to the newsletter voluntarily provides the Service Provider with the personal data specified below:
Name / Email address / Phone number / Address / Website usage behaviour / Newsletter reading behaviour / Shopping behaviour

4. Purchase of tickets/drink packages and other products

The processing is based on the User's voluntary, duly informed declaration, which, in the case of the purchase of a ticket/drink package, is necessary for the use of the sales service on the website, by using the sales service on the website, the User declares that by using the website, he/she gives his/her explicit consent to the use of the personal data provided during the use of the website. The legal basis for the processing of the data is the voluntary consent of the data subject pursuant to Article 5 (1) (a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information and Article 169 (2) of Act C of 2000 on Accounting.

Only persons who are at least 18 years of age and have legal capacity are entitled to make purchases through the Service Provider's system.

The purpose of the processing is to ensure the provision of the service of selling tickets or ordering a drinks package on the website, the order, its processing, the documentation of the purchase and payment, the fulfilment of the accounting obligation. Furthermore, the purpose of the data processing is to identify the User as a ticket purchaser and to fulfil the ordered service, to send notifications in connection with the order, to issue invoices, to process payments, to register the Users and to distinguish them from each other. Processed data: first and last name / telephone number / e-mail address, billing address provided for invoicing / number, date and time of the transaction / content of the receipt / customer code / name, address and tax number in the case of VAT invoices. Duration of processing: 8 years.

5. Statistical data

The Service Provider may use the data for statistical purposes in the limited way provided for by the legislation in force. The use of the data in aggregate statistical form shall not include the name or any other identifiable data of the User concerned.

Data which are automatically, technically recorded during the operation of the system, for a period of time from the moment they are generated which is reasonable to ensure the functioning of the system, or for the period provided for by the legislation in force are stored in the system. The Company ensures that these automatically recorded data cannot be linked to other personal data of the user, except in cases required by law. If the User has withdrawn his/her consent to the processing of his/her personal data or has unsubscribed from the service, his/her identity will not be identifiable from the technical data.

6. Other data processing

Any other processing that may be necessary beyond the general data processing not listed in this notice will be provided at the time of collection. Such specific processing includes the provision of information by the courts, prosecutors, investigating authorities, law enforcement authorities, administrative authorities, the Data Protection Commissioner or other bodies authorised by law, when they contact the Controller to disclose, transfer or provide documents. The Service Provider shall disclose personal data to these institutions and authorities only to the extent required by the applicable legislation, to the extent and to the extent that is strictly necessary for the purpose of the request, provided that the requesting institution or authority has indicated the exact purpose and scope of the data and the legal reference.

6.1. Telephone conversations

The Service Provider maintains a telephone customer service. The telephone conversation is not recorded. However, in the case of a table reservation, the name and telephone number may be recorded in order to identify the User. The User voluntarily consents to the provision of this information by making the call and being informed of the call. These data will be kept for the period of time specified by law.

6.2. Camera shots
The Service Provider operates a camera system within its catering unit (Morrison's 2 Entertainment Hall, 1055 Budapest, Szent István krt. 11.). By purchasing the entrance fee and by entering the club, the User accepts and agrees that he/she may be subject to camera recording. Depending on the technical capabilities of the recording units, the camera recordings are stored for 3 - 4 days. After this period, the recordings are automatically deleted. The Service Provider shall only transfer the recorded camera recordings to a 3rd party upon request by the authorities.

6.3 Photographs
The Service Provider may take photographs inside its catering unit (Morrison's 2 Entertainment, 1055 Budapest, Szent István krt. 11.). By purchasing the entrance fee or by entering the club, the User accepts and agrees that a photo may be taken of him/her. The copyright of the photographs belongs to the Service Provider.

7. Duration of data processing: until the consent is withdrawn. You can unsubscribe by clicking on the Unsubscribe link at the bottom of the newsletter. Personal data will be deleted within 10 working days of receipt of the request.

V. Persons entitled to access the data

The data may be accessed by the Service Provider's marketing staff and by the additional data processors named below in order to perform their tasks. For example, the Service Provider's system administrator and the data processors named in this notice may access personal data for the purposes of case management and data processing.

Name of the Data Processor
1/ BZ Adószakértő Kft. - 1016 Budapest, Szirtes u. 15. / accounting
2/ Kft. - 1031 Budapest, Záhony utca 7. / Electronic billing system operator
3/ BeeCorp Studio Ltd. - 2161 Csomád, Levente u. 14. A. ép.4 / administrator activity
4/ Kibernet Kft. - 1122 Budapest, Városmajor u. 1c. / hosting

The Service Provider forwards the data provided by the User to Kft. in order to issue the electronic invoice. The purpose of the data transfer is to send an invoice for the purchase to the User electronically, to the email address provided by the User.

The Data Controller uses the web analytics services of Google LLC, Google Analytics, Google Adwords, Facebook Ireland Ltd. The web analytics services also use cookies to help analyse the use of online interfaces. The data subject, by providing specific and explicit consent to the use of online platforms, authorises Google Analytics and Google Adwords to transfer information generated by cookies about the use of the online platform to Google's servers. The other cookies processed are stored on servers within the European Union. By giving the specific consent provided on the website, the user consents to the collection and analysis of his/her data in the manner and for the purposes set out above. The above mentioned service providers use this information to evaluate and analyse the use of online interfaces by the data subject, to compile reports on the activities carried out on online interfaces and to provide other services related to the activities carried out on those interfaces and to the use of the Internet.

VI. Data security measures 

1. The Service Provider shall exercise the utmost care in the processing and storage of personal data. In the area of information security, the Service Provider shall use the most effective and up-to-date tools and procedures reasonably available.

2. The Controller shall design and implement the processing operations in such a way as to ensure the protection of the privacy of the data subjects.

3. The data controller or the data processor in the scope of its activities shall ensure the security of the data, and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the provisions of the GDPR and other data protection and confidentiality rules.

4. Appropriate measures shall be taken to protect the data against, in particular, unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage and inaccessibility resulting from changes in the technology used.

5. In order to protect the electronically managed data files in the different registers, an appropriate technical solution must ensure that the data stored in the registers cannot be directly linked and attributed to the data subject, unless permitted by law.

6. When processing personal data by automated means, the controller and the processor shall take additional measures to ensure that.

  • prevent unauthorised data entry;
  • preventing the use of automated data processing systems by unauthorised persons using data transmission equipment;
  • the verifiability and ascertainability of the bodies to which personal data have been or may be transmitted using data transmission equipment;
  • the verifiability and ascertainability of which personal data have been entered into automated data processing systems, when and by whom;
  • the recoverability of the installed systems in the event of a failure, and
  • that errors in automated processing are reported.

7. The controller and the processor shall take into account the state of the art when defining and implementing measures to ensure data security. The choice between several possible processing solutions should be made which ensure a higher level of protection of personal data, unless this would impose a disproportionate burden on the controller.

8. The Service Provider shall select and operate the IT tools used to process personal data in the course of providing the service in such a way that the processed data:

  • accessible to authorised persons (availability);
  • authenticity and verification (authenticity of processing);
  • can be verified to be unchanged (data integrity);
  • be protected against unauthorised access (data confidentiality).

9. The Service Provider shall ensure the security of data processing by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with data processing.

10. Electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.) are vulnerable to network threats that could lead to fraudulent activity or to the disclosure or modification of information. The Service Provider will take all reasonable precautions to protect against such threats. It will monitor systems to ensure that any security discrepancies are recorded and evidence of any security incidents is available. However, the Internet is not, as is well known to Users, 100% secure. The Service Provider shall not be liable for any damage caused by an unprotected attack, despite the utmost care.

VII. Rights of data subjects and their enforcement, objection to processing of personal data, judicial redress and compensation

1. A change in personal data or a request for the deletion of personal data may be communicated by means of a written statement in a private document with full probative value sent to the registered e-mail address or by post. Changes to certain personal data may also be made by modifying the personal profile page. Once a request for deletion or modification of personal data has been fulfilled, the previous (deleted) data can no longer be restored.

Users may request information about the processing of their personal data. Requests for information sent by e-mail shall be considered authentic by the Data Controller only if they are sent from the registered e-mail address of the User. At the request of the data subject, the controller shall provide information on the data processed by the data subject or by a processor to whom the data subject has delegated the processing, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, and, in the case of transfer of the data subject's personal data, the legal basis and the recipient of the transfer. The request for information should be sent by e-mail to The Service Provider is obliged to provide the information in writing in an intelligible form, at the request of the data subject, within the shortest possible time from the date of the request, but not later than 30 days.
The information described above is free of charge if the person requesting the information has not yet submitted a request for information to the controller for the same set of data in the current year. In other cases, a fee may be charged. The fee already paid shall be refunded if the data have been unlawfully processed or if the request for information has led to a rectification.

The data controller may refuse to provide the data subject with information only in the cases specified in the GDPR. In the event of refusal to provide information, the controller shall inform the data subject in writing of the provision of this Act on the basis of which the information was refused.

2. The data subject may request the controller to rectify his or her personal data and to erase or block his or her personal data, except for mandatory processing.

3. The controller shall keep a register of transfers for the purpose of monitoring the lawfulness of the transfer and informing the data subject, which shall include the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.

4. If the personal data is not accurate and the accurate personal data is available to the controller, the controller shall correct the personal data and notify the data subject thereof.

5. The personal data shall be deleted if

a) unlawful treatment;

b) the data subject requests it, as provided for in the Avtv;

(c) it is incomplete or incorrect, a situation which cannot be lawfully remedied, provided that cancellation is not precluded by law;

(d) the purpose of the processing has ceased or the statutory time limit for the storage of the data has expired;

(e) ordered by a court or the Authority.

In the case referred to in point (d) of the preceding paragraph, the obligation to erase shall not apply to personal data whose data medium is subject to archival custody pursuant to the legislation on the protection of archival material.

5. Instead of erasure, the controller shall block the personal data if the data subject so requests or if, on the basis of the information available to him or her, it is likely that erasure would harm the data subject's legitimate interests. Personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data continues to exist.

6. The controller shall mark the personal data that it processes if the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.

7. Rectification, blocking, flagging and erasure must be notified to the data subject and to all those to whom the data were previously disclosed for processing. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purposes of the processing.

8. If the controller does not comply with the data subject's request for rectification, blocking or erasure, the controller shall, within 30 days of receipt of the request, communicate in writing the factual and legal grounds for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.

9. The data subject must be informed before the processing starts whether the processing is based on consent or whether it is mandatory.

10. The data subject shall be informed clearly and in detail of all facts relating to the processing of his or her data before the processing begins, in particular the purpose and legal basis of the processing, the person authorised to process and process the data, the duration of the processing, if the controller processes the personal data of the data subject pursuant to paragraph (5) of Article 6 of the Data Protection Act, and who may access the data. The information shall also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the information referred to in the above paragraph.

11. The data subject may object to the processing of his or her personal data,

  • where the processing or transfer of personal data is necessary for the fulfilment of a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, except in cases of mandatory processing;
  • if the personal data are used or disclosed for direct marketing, public opinion polling or scientific research purposes; and
  • in other cases specified by law.

The controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether the objection is justified and inform the applicant in writing of its decision.

If the controller establishes that the data subject's objection is justified, the controller shall terminate the processing, including further collection and further transmission, and block the data.

If the data subject does not receive the data necessary to exercise his or her rights due to the data subject's objection, he or she may, within 15 days of the notification, take legal action against the controller in order to obtain access to the data, as provided for in Article 22 of the Data Protection Act. The controller may also bring legal proceedings against the data subject.

The controller may not delete the data of the data subject if the processing is required by law. However, the data may not be transferred to the data recipient if the controller has consented to the objection or if the court has ruled that the objection is justified.

12. The controller shall compensate any damage caused to another party by unlawful processing of the data subject's data or by breach of data security requirements. The controller shall be exempted from liability if he proves that the damage was caused by an unavoidable cause outside the scope of the processing. No compensation shall be payable where the damage resulted from the intentional or grossly negligent conduct of the injured party.

VIII. Enforcement options:

If you have any questions or comments, please contact the Service Provider at The User may exercise his/her rights of enforcement before the courts in accordance with the Data Protection Act and the Civil Code. Legal remedies and complaints may be lodged with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

postal address: 1530 Budapest, Pf.: 5.

address: 1125 Budapest Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410



Done at Budapest, 1 January 2024