Privacy Policy

  1. Data controller’s data:

Name of contractor: Judit Czinkné Poór sole proprietor

Registered office: 8400 Ajka, Rákóczi Ferenc utca 2. 2. em. 4. a.

Premises: 8451 Ajka-Padragkút, Padragi út 57.

Tax number: 79126603-1-39

Registration number: 50100277

Phone number: +3630/654 0376

E-mail address: mezesmanna@gmail.com

  1. Purpose of the Privacy Policy:

The data controller acknowledges that it is bound by the contents of this legal notice. The purpose of this Privacy Policy is to inform your customers, partners and clients about the processing of their personal data. The data controller shall process personal data only in accordance with the provisions of the applicable legislation, in strict compliance with the provisions of the data management and data protection regulations, taking into account the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, limited storage.

The data controller shall take all technical and organizational measures to process the personal data of its partners in a secure manner as required by Regulation (EU) 2016/679 of the European Parliament and of the Council.

In line with the above, the data controller has developed its day-to-day activities, rules, records, templates and information.

The data controller’s privacy policy in relation to its data processing is permanently available at the data controller’s headquarters. The data controller reserves the right to change this policy at any time. It will of course inform its audience of any changes in due time.

The data controller is committed to protecting the personal data of its partners and customers, and attaches the utmost importance to respecting the right of customers to information self-determination. The data controller treats personal data confidentially and takes all security, technical and organizational measures to ensure the security of the data. The data controller describes its data management practices below.

  1. Personal, material and temporal scope of the Privacy Policy:

The personal scope of this Privacy Policy covers the data controller and the natural persons whose data are included in the processing covered by this Policy, as well as persons whose rights or legitimate interests are affected by the processing.

The scope of the Policy covers all processing that occurs in the course of the data controller’s activities.

These Policy shall enter into force on the date of approval and shall remain in force indefinitely until further notice.

  1. Key definitions:

Personal data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

Special data: any data in special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.

Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction or destruction.

Data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.

Joint data controllers: if the purposes and means of data processing are jointly determined by two or more data controllers, they are considered to be joint data controllers.

Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the data controller, the processor or the persons who, under the direct authority of the data controller or processor, are authorized to process personal data.

Consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her.

Data protection incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

  1. Lawful data processing by the data controller:

Personal data will only be processed by the data controller in the following cases:

  1. where the data subject has given consent to the processing of his or her personal data for one or more specific purposes,
  2. the data processing is necessary for the performance of a contract to which the data subject is a party,
  3. the data processing is necessary for compliance with a legal obligation to which the data controller is subject,
  4. the data processing is necessary for the protection of the vital interests of the data subject or of another natural person,
  5. the data processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party.

The data controller checks the lawfulness of data processing at all stages of its activities, and only processes data for which it can justify the purpose and legal basis. In the event that the conditions of a legal basis cease to apply, data processing may only be resumed if the data controller can demonstrate an appropriate alternative legal basis.

As a general rule, the method of justification of the legal basis is in writing, but even in the case of a legal basis established by imputability, it must be examined whether it can be clearly justified ex post. In case of doubt, in the interests of reasonableness and economy, efforts should be made to confirm in writing the data processing by imputability.

In the case of data processing based on consent, the data subject gives his or her written consent to the processing of his or her personal data. Consent is not formally required, but subsequent evidence requires written consent on paper or in electronic form.

The fulfilment of a legal obligation based on the legal basis of data processing is independent of the consent of the data subject, as data processing is defined by law.

Irrespective of the mandatory nature of data processing, the private individual concerned must be informed before the data processing starts that the data processing is mandatory and cannot be avoided, and the data subject must be provided with clear and detailed information on all relevant facts concerning the processing of his or her data before the data processing starts.

According to the GDPR (General Data Protection Regulation), personal data may also be processed where the data processing is necessary for the performance of a contract to which the individual concerned is a party or where the data processing is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract. The data controller may process personal data for the purposes of the conclusion, performance or termination of the contract on the basis of the legal basis for performance of the contract.

  1. Processing of personal data by the data controller:

The data controller is engaged in commercial activities, selling its own products (e.g. gingerbread, textile dolls, unique cutlery). It also organizes workshops (gingerbread decorating workshops on various themes). In the course of these activities, personal data of natural persons are processed. It carries out the following data processing activities:

  1. The data controller receives orders in connection with its commercial activities, in the course of selling its products, by telephone, e-mail or through social networking sites. Customers may be both individuals and legal entities. In the case of an order, the data controller requests the name (including the name of the contact person in the case of a legal person), address (billing, delivery), e-mail address and telephone number of the customer. The legal basis for the processing of personal data is the performance of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). In the case of a legal person, the personal data of the contact person are processed on the basis of the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The purpose of processing personal data is to fulfil contractual obligations, to maintain contact and to send the ordered product to the data subject. The data controller issues receipts or invoices to its customers for the value of the products it has produced and sold. The receipt does not contain personal data. The invoice will contain the name, address and possibly the tax number of the customer. The legal basis for the processing of personal data is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax on Small Taxable Enterprises and Small Business Tax on the storage of personal data contained in the invoice and shall store them for 5 years.
  1. Data Controller also offers the possibility to buy individual products. The data controller’s customers for this activity can be both individuals and legal entities. The contractual relationship is established by a request for a quote, by telephone, e-mail or through the use of social networking sites. The applicant provides his/her name, telephone number and e-mail address to which the data controller sends his/her offer. If the offer is rejected, the personal data of the interested party will be deleted immediately and at the latest within 30 days. The legal basis for the processing of personal data is the establishment of a contract (Article 6(1)(b) of the General Data Protection Regulation). If the data subject accepts the offer and orders the product, a contractual relationship is established between the parties. The data controller then has access to further personal data of individuals (partners and contacts). The legal basis for the data processing is the performance of the contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), in the case of a contact person of a legal person, the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The data controller issues a receipt or invoice for the value of the individual products it has produced and sold. The receipt does not contain personal data. The invoice contains the name, address and possibly the tax number of the customer. The issuing of an invoice is a statutory obligation of the data controller. The legal basis for the processing of personal data on the invoice is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax on Small Taxable Enterprises and Small Business Tax on the Retention of Personal Data on the Invoice and shall store such data for a period of 5 years.
  1. The data controller also organizes workshops and courses. You can register for these programs by phone, email or through social networking sites. When applying, the data controller will ask for the name, address, e-mail address and telephone number of the data subject. The purpose of the data processing is to complete the registration for the program, to provide the possibility of contacting the data subject and to organize the program. The legal basis for processing personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). The data controller will issue an invoice for the amount of the participation fee. The invoice will contain the name, address and possibly the tax number of the customer. The legal basis for the processing of personal data, fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax on Small Taxable Enterprises and Small Business Tax on the Retention of Personal Data contained in the invoice and shall store them for a period of 5 years.
  1. According to the provisions of Act LXXVII of 2013 on Adult Education, in the case of training courses that qualify as adult education, special provisions apply to the processing of participants’ personal data, the conclusion of contracts and the provision of data to the adult education data system. During the application process, the data controller requests the data subject’s natural personal identification data (name, name at birth, place and date of birth, mother’s name), address, e-mail address, highest educational qualification. The purpose of the data processing is to provide the possibility of contacting the data subject, to organize the training, to issue the invoice and to fulfil the mandatory data provision in accordance with the provisions of the Adult Education Act. The legal basis for the processing of personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) and the fulfilment of legal obligations (Article 6(1)(c) of the General Data Protection Regulation). The data controller issues an invoice for the training fee to the participant. The invoice shall contain the name, address and possibly the tax number of the participant. The issuing of the invoice is a statutory obligation of the data controller. The legal basis for the processing of the personal data on the invoice is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data controller shall keep the documents relating to the training for a period of 8 years in accordance with the provisions of the Adult Education Act.
  1. In the performance of its tasks, the data controller processes the e-mail addresses and telephone numbers of its partners, customers, clients and customers in order to fulfil its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) or on the basis of their individual consent (Article 6(1)(a) of the General Data Protection Regulation).
  1. The data controller may also have contractual relationships with subcontractors, suppliers and service providers in the course of his or her work, which also provide a basis for the processing of personal data. In this case, the legal basis for the processing of personal data is (in the case of a natural person or an individual entrepreneur) the performance of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), and in the case of personal data of a contact of a legal person, the explicit, prior informed consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
  1. The data controller also offers the possibility to subscribe to a newsletter by entering your name and e-mail address. By subscribing to the newsletter, the data subject declares that he/she has read the Privacy Notice of the data controller and that he/she gives his/her consent to the processing of his/her personal data for marketing purposes. The data subject has the rights described in the Privacy Notice and may exercise those rights in the manner and at the places described therein. Accordingly, the legal basis for the processing of personal data in the course of sending the newsletter is the explicit and written informed consent of the subscriber (Article 6(1)(a) of the General Data Protection Regulation).
  1. The data controller also operates social networking sites, where personal data is also processed. It also uses social networking sites to promote its activities, the services it provides and the products it sells. The data controller also occasionally organizes prize draws on its social networking sites. In this case, the personal data of the winner (name, address, telephone number) will be processed. The legal basis for data processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
  1. The data controller occasionally takes photos or videos of your customers, clients and workshop participants. If the recording shows a recognisable individual, the recording will only be made and used – in connection with the data controller’s social networking sites or other appearances – with the prior, informed, written and voluntary consent of the data subject. The legal basis for data processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).
  1. The purpose of data processing in relation to the data controller’s activities is to enable the communication of the complaint, to identify the data subject and the complaint, to record the data required to be recorded by law, to investigate the complaint and to contact the data controller in connection with its resolution.

Once a complaint has been lodged, the handling of the complaint, and thus the processing of personal data, is mandatory under Act CLV of 1997 on Consumer Protection. The legal basis for processing personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

Data controller keeps data processing records of the data processing described above. The register shall also contain the time limits for the deletion of personal data. The register is an annex to this Privacy Policy.

  1. Data processors associated with the data controller:

If data processing is carried out by another party on behalf of the data controller, the data controller may only use data processors that provide adequate guarantees of compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organizational measures to ensure the protection of the rights of data subjects.

The data controller hereby declares that, in the course of its work, it will only use data processors that provide adequate guarantees of compliance with the GDPR Regulation and implement appropriate technical and organizational measures to ensure the protection of the rights of data subjects. The relevant declarations of the data processors are available to you.

By becoming aware of and accepting this Privacy Policy, data subjects agree that the data controller may transfer their personal data to the data processors and joint data controllers listed below.

Owner of the social video sharing site YouTube:

Contracted data processor and data controller partners process partners’ personal data only on the basis of instructions given by the data controller (except where required by law) and under an obligation of confidentiality.

  1. Data processing related to contracts concluded by the data controller:

Customer contracts:

The data controller receives orders in connection with its commercial activities, in the course of selling its products, by telephone, e-mail or through social networking sites. Customers may be both individuals and legal entities. When placing an order, the data controller asks for the name of the customer (including the name of the contact person in the case of a legal person), his/her address (billing, delivery), e-mail address and telephone number. The legal basis for the processing of personal data is the performance of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). In the case of a legal person, the personal data of the contact person are processed on the basis of the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The purpose of processing personal data is to fulfil contractual obligations, to maintain contact and to send the ordered product to the data subject. The data controller will issue a receipt or invoice to its customers for the value of the products it has produced and sold. The receipt does not contain personal data. The invoice will contain the name, address and possibly the tax number of the customer. Legal basis for processing personal data, compliance with legal obligations (General Data Protection Regulation

The data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax on Small Taxable Enterprises and Small Business Tax and shall store the personal data for a period of 5 years.

It is also possible to purchase individual products from the data controller. The data controller’s customers in this activity can be both individuals and legal entities. The contractual relationship is established by a request for a quote, by telephone, e-mail or by using social networking sites. The applicant provides his/her name, telephone number and e-mail address to which the data controller sends his/her offer. If the offer is rejected, the personal data of the interested party will be deleted immediately and at the latest within 30 days. The legal basis for the processing of personal data is the establishment of the contract (Article 6 of the General Data Protection Regulation

(If the data subject accepts the offer and orders the product, a contractual relationship is established between the parties. The data controller then has access to further personal data of individuals (partners and contacts). The legal basis for the data processing is the performance of the contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), in the case of a contact person of a legal person, the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The data controller issues a receipt or invoice for the value of the individual products it has produced and sold. The receipt does not contain personal data. The invoice contains the name, address and possibly the tax number of the customer. The issuing of an invoice is a statutory obligation of the data controller. The legal basis for the processing of personal data on the invoice is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax on Small Taxable Enterprises and Small Business Tax on the Retention of Personal Data on the Invoice and shall store such data for a period of 5 years.

The data controller also organizes workshops and courses. You can register for these programs by phone, email or through social networking sites. When you apply, the data controller will ask for your name, address, e-mail address and telephone number. The purpose of the data processing is to complete the registration for the program, to provide the possibility of contacting the data subject and to organize the program. The legal basis for processing personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). The data controller will issue an invoice for the amount of the participation fee. The invoice will contain the name, address and possibly the tax number of the customer. The legal basis for the processing of personal data, fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax on Small Taxable Enterprises and Small Business Tax on the Retention of Personal Data contained in the invoice and shall store them for a period of 5 years.

Personal data processing related to adult education:

According to the provisions of Act LXXVII of 2013 on Adult Education, in the case of training courses that qualify as adult education, special provisions apply to the processing of participants’ personal data, the conclusion of contracts and the provision of data to the adult education data system. During the application process, the data controller requests the data subject’s natural personal identification data (name, name at birth, place and date of birth, mother’s name), address, e-mail address, highest educational qualification. The purpose of the data processing is to provide the possibility to contact the data subject, to organize the training, to issue the invoice and to fulfil the mandatory data provision in accordance with the provisions of the Adult Education Act. The legal basis for the processing of personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) and the fulfilment of legal obligations (Article 6(1)(c) of the General Data Protection Regulation). The data controller will invoice the participant for the training fee. The invoice shall contain the name, address and possibly the tax number of the participant. The issuing of the invoice is a statutory obligation of the data controller. The legal basis for the processing of the personal data on the invoice is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data controller shall keep the documents relating to the training for a period of 8 years in accordance with the provisions of the Adult Education Act.

Supplier contracts:

The data controller may also manage the contact details (name, e-mail address, telephone number) of suppliers and may contact service providers and subcontractors. In order to communicate with partners, personal data may also be collected in these cases

The legal basis for the processing of personal data is the performance of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation) or the consent of the contact person (Article 6(1)(a) of the General Data Protection Regulation).

The data controller, with the contact persons of the companies, will fill in a consent form informing them of their rights in relation to personal data and asking for their consent to process their data. In such cases, the legal basis for the processing of personal data is the explicit, written and duly informed consent of the data subject to the data processing (Article 6(1)(a) of the General Data Protection Regulation). If the contract with the partner has been terminated and there is no legal obligation to keep the data or documents, the telephone numbers and e-mail addresses will be deleted. The personal data contained in the contract and invoice will also be stored in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax on Small Taxable Enterprises and Small Business Tax and will be stored by the data controller for 5 years.

  1. Processing of invoices issued to customers and personal data contained therein:

The data controller issues a receipt or invoice for the services and products it has provided and sold. The receipt does not contain any personal data. The invoice contains the name, address and possibly the tax number of the customer. The issuing of an invoice is a statutory obligation of the data controller. Legal basis for processing the personal data on the invoice, fulfilment of a legal obligation (General Data Protection Regulation

The data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax of Small Taxable Enterprises and Small Business Tax and shall store the personal data contained in the invoice for a period of 5 years. If the data controller carries out adult education activities, the documents related to the training, including the invoice, will be kept for 8 years in accordance with the provisions of the Adult Education Act.

  1. Children’s data, processing of special categories of personal data:

The data controller intends to provide its services and products only to persons over the age of 18.

The data controller does not process or store personal data of children in any of its systems.

Specific data that the data controller has been made aware of or has become aware of will not be recorded by the data controller. If such data has been entered into any system of the data controller without the knowledge of the data controller, it will be deleted from the system immediately upon detection.

11. Procedure for the retention of e-mail addresses, telephone numbers:

In the course of its activities, the data controller also obtains the e-mail addresses and telephone numbers of its partners, customers and clients. The personal data thus entered into its system is processed primarily for the purpose of fulfilling its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). If the contract with the partner has been terminated and there is no legal obligation to retain data or documents, the telephone numbers and e-mail addresses will be deleted. In some cases, the data controller will still have a legitimate interest in retaining the data and will ask for the explicit and written consent of the data subject to retain his or her personal data (Article 6(1)(a) of the General Data Protection Regulation).

  1. Taking photos and videos at the data controller:

The data controller occasionally takes photos or videos of your customers, clients and workshop participants. If the recording shows a recognizable individual, the recording will only be made and used – in connection with the data controller’s social media pages or other appearances – with the prior, informed, written and voluntary consent of the data subject. The legal basis for data processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).

If the data subject withdraws his or her consent and requests the cessation of the use of the recording, or the deletion of the recording, the data controller will comply with this request without delay.

  1. Subscription to the newsletter:

The data controller also offers the possibility to subscribe to a newsletter. When subscribing to the newsletter, the data subject declares that he/she has read the Privacy Notice of the data controller and that he/she gives his/her consent to the processing of his/her personal data for marketing purposes (sending newsletters). The data subject has the rights described in the Privacy Notice and may exercise these rights in the manner and at the places described therein. Accordingly, the legal basis for the processing of personal data in the context of sending newsletters is the explicit and written consent of the subscriber (Article 6(1)(a) of the General Data Protection Regulation).

The purpose of the data processing in connection with the sending of newsletters is to provide the recipient with complete general or personalized information on the latest news and information about the latest developments at the data controller, in accordance with the applicable and valid legislation. The subscription to the newsletter and/or the sending of newsletters for DM purposes is based on voluntary consent, the data controller will of course give the data subject the possibility to withdraw his or her consent and unsubscribe from the newsletter at any time.

  1. Social media pages of the data controller:

The data controller also operates a Facebook page, where personal data is also processed. The data controller also promotes its activities on Facebook, presenting its services and products. The data controller uses this page for marketing purposes.

https://www.facebook.com/Mezesmanna/

The data controller also provides comprehensive personal support via Facebook. If you ask him a question via Facebook, he will try to answer it as soon as possible. You will use the data you receive on Facebook only to answer your question and not for any other advertising purposes.

The purpose of using the Facebook page is to advertise and provide information on social media platforms. Facebook may also use the data for its own purposes, including profiling and targeting the data subject with advertising.

To be able to contact the data controller via Facebook, you must be logged in. To do this, Facebook may also request, store and process personal data. The data controller has no control over the type, scope and processing of this data and does not receive personal data from the Facebook operator. For more information on this, please visit the Facebook page.

The data controller also occasionally organizes a prize draw on its social networking pages. In such cases, the winner’s personal data will be processed for the purpose of forwarding the prize. The data controller will process the winner’s data on the basis of the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation) and will store it for the statutory retention period.

Personal data of Facebook page followers are processed by the data controller on the basis of their consent (Article 6(1)(a) of the General Data Protection Regulation), which is deemed to be given by the fact that the person concerned likes, follows or comments on the page and its posts.

The data controller is also present on the Instagram social networking site with the following profile:

https://www.instagram.com/mezesmanna/

Personal data of followers are processed on the Instagram page. Data processing is carried out on the basis of the consent given by the follower (Article 6(1)(a) of the General Data Protection Regulation).

Another community page of the data controller, where the legal basis for data processing is also the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation):

https://www.youtube.com/channel/UCsokw3wUo5NeC0FplmCvX7Q

  1. Handling of complaints about the data controller’s activities:

The purpose of data processing in relation to the data controller’s activities is to enable the communication of the complaint, to identify the data subject and the complaint, to record the data required to be recorded by law, to investigate the complaint and to contact the data controller in connection with its resolution.

Once a complaint has been made, the handling of the complaint, and thus the processing of personal data, is mandatory under Act CLV of 1997 on Consumer Protection. The legal basis for processing personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

The data controller will keep the record of the complaint and a copy of the reply for 3 years and will therefore process the personal data for this period.

  1. Security of data processing:

The data controller undertakes to ensure the security of the data, to take technical and organizational measures and to maintain procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorized use or unauthorized alteration. It also undertakes to require any third party to whom it transfers or discloses the data to comply with the requirements of data security.

The data controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorized persons. The data processed may only be accessed by the data controller and its data processor(s) and shall not be disclosed to third parties who are not authorized to access the data.

The data controller shall pay particular attention to the security of the personal data of its partners, customers and clients. It shall act in full compliance with the legal provisions and shall require all its partners to do the same. Personal data protection includes physical data protection (storage of documents in a lockable room) as well as IT protection.

The data controller shall store the personal data provided by the data subject primarily on the servers of the data processor(s) specified in this Privacy Policy, equipped with the usual protection systems, and partly on its own IT equipment, in the case of paper data media, at its headquarters, in an appropriately locked manner.

The data subjects acknowledge and accept that the protection of their personal data cannot be fully guaranteed on the Internet and on computer systems when they provide their personal data. In the event of unauthorized access or disclosure, despite the efforts of the data controller, the procedure set out in this policy shall apply.

  1. Data subjects’ rights in data processing:

This Privacy Policy also aims to provide clear, concise, transparent and understandable information about the data processing activities of the data controller.

The data subject is entitled to receive feedback from the data controller as to whether or not his or her personal data is being processed and, if such data processing is in progress, to have access to the personal data and the following information:

You can request information about the above data from the data controller at the following address, e-mail address:

Judit Czinkné Poór sole proprietor 8400 Ajka, Rákóczi Ferenc utca 2. 2. em.

4. a.

E-mail: mezesmanna@gmail.com

The data controller hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The data subject has the right to have inaccurate personal data relating to him or her corrected by the data controller at his or her request.

You can request information about the above data from the data controller at the following address, e-mail address:

Judit Czinkné Poór sole proprietor 8400 Ajka, Rákóczi Ferenc utca 2. 2. em.

4. a.

E-mail: mezesmanna@gmail.com

The data controller hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The data subject has the right to have personal data relating to him or her erased by the data controller at his or her request. The data controller is obliged to delete personal data on the basis of such a request if one of the following grounds applies:

You can request information about the above data from the data controller at the following address, e-mail address:

Judit Czinkné Poór sole proprietor 8400 Ajka, Rákóczi Ferenc utca 2. 2. em.

4. a.

E-mail: mezesmanna@gmail.com

The data controller hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The data subject has the right to request that the data controller restrict data processing, in particular if:

You can request information about the above data from the data controller at the following address, e-mail address:

Judit Czinkné Poór sole proprietor 8400 Ajka, Rákóczi Ferenc utca 2. 2. em.

4. a.

E-mail: mezesmanna@gmail.com

The data controller hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The data subject has the right to receive personal data concerning him or her in a structured, commonly used, machine-readable format and the right to transmit such data to another data controller.

You can request information about the above data from the data controller at the following address, e-mail address:

Judit Czinkné Poór sole proprietor 8400 Ajka, Rákóczi Ferenc utca 2. 2. em.

4. a.

E-mail: mezesmanna@gmail.com

The data controller hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of his or her personal data, as provided for in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

You can request information about the above data from the data controller at the following address, e-mail address:

Judit Czinkné Poór sole proprietor 8400 Ajka, Rákóczi Ferenc utca 2. 2. em.

4. a.

E-mail: mezesmanna@gmail.com

The data controller hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The data subject shall have the right not to be subject to a decision based solely on automated data processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her. Automated decision making is any process or methodology whereby a technical automatism evaluates the personal characteristics of the data subject and which produces legal effects concerning him or her or significantly affects him or her. The data controller shall not use IT automata, including profiling, which have a significant impact on the rights of the data subject.

You can request information about the above data from the data controller at the following address, e-mail address:

Judit Czinkné Poór sole proprietor 8400 Ajka, Rákóczi Ferenc utca 2. 2. em.

4. a.

E-mail: mezesmanna@gmail.com

The data controller hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The data controller undertakes to inform all recipients to whom it has disclosed the personal data of any requests sent to it in connection with the above rights, unless this proves impossible. It also undertakes to notify the data subject (applicant) of the decision on the processing of the above requests within 30 days at the latest.

  1. Data protection breaches:

A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In the event of a data breach, the level of the breach must be at a serious risk level, i.e. the breach must be of such a degree that the personal data involves:

An incident is considered to occur if any one of the above occurs, but this does not exclude that more than one of the above may occur at the same time. This includes not only intentional malicious conduct but also negligent injuries. An incident therefore occurs when it is caused by an accidental or unlawful act.

Examples of data breaches include:

A data breach may cause physical, pecuniary or non-pecuniary damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft, if not addressed in an appropriate and timely manner, or misuse of identity, financial loss, unauthorized impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantages suffered by the natural persons concerned.

In the event of a potential data breach (unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons), the data controller shall immediately notify the National Authority for Data Protection and Freedom of Information. As soon as the data controller becomes aware of the incident, it shall notify it without undue delay and, if possible, no later than 72 hours after becoming aware of the data breach. If the notification cannot be made within 72 hours, the notification shall state the reason for the delay and shall provide the required information in detail without further undue delay.

For the notification of a personal data breach, the National Authority for Data Protection and Freedom of Information operates a dedicated system on its website through which notifications can be made electronically.

The data controller shall keep a record of the data breaches, indicating the facts related to the data breach, its effects and the measures taken to remedy it. The data controller shall keep a record of the data relating to the incident, including the causes, the events and the personal data involved. In addition, the record should also include the effects and consequences of the incidents and the actions taken to remedy them, and the data controller’s conclusions (for example, why it believes the incident is not reportable, or if the reporting is delayed, the reason for the delay).

An incident that is unlikely to pose a risk to the rights and freedoms of natural persons does not need to be notified to the supervisory authority.

If the personal data breach is likely to pose a high risk to the rights and freedoms of the data controller’s partners, customers or clients, we will inform the partner concerned without delay. The information provided to the data subject shall clearly and conspicuously describe the nature of the personal data breach and provide the most relevant information and measures.

The data subject need not be informed as described above if any of the following conditions are met:

  1. Information on the main relevant legislation:
  1. Right to apply to the courts:

The data subject may take the data controller to court if his or her rights are infringed. The court will decide the case out of turn.

  1. Data protection authority procedure:

You can lodge a complaint with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Premises: 1055 Budapest, Falk Miksa u. 9-11.

Mailing address: 1363 Budapest, Pf. 9.

Telephone: 0613911400

Fax: 0613911410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

  1. Other provisions:

The data controller will provide information on data processing not listed in this policy at the time of data collection. In such cases, the provisions of the applicable legislation shall prevail.

The data controller hereby informs its customers that the court, the prosecutor, the investigating authority, the infringement authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary, or other bodies authorized by law may contact the data controller to provide information, to disclose or transfer data, or to provide documents. The data controller shall disclose to the authorities – if the authorities have indicated the precise purpose and scope of the data – personal data only to the extent and to the extent that is strictly necessary for the purpose of the request.

The Data Controller’s website contains further information on the data protection rights referred to in this Privacy Policy.

Ajka, 20.08.2018

Judit Czinkné Poór

sole proprietor

ANNEX 1

No.Name of processing of personal dataPurpose of data processingLegal basis for data processingTime limit for deletion of personal data
1.Personal data provided during purchase and ordering.Performance of the contract, to maintain contact.Performance of the contract (Article 6(1)(b) of the General Data Protection Regulation).Within 30 days of the expiry of the legal retention period (5 years).
2.Personal data of the contact person of the legal person when making a purchase or placing an order.To fulfil a contractual obligation.Based on the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).In case of withdrawal of consent, without delay. Within 30 days after the termination of the contract, unless the law provides for an obligation to keep the contract (within 30 days after the expiry of the obligation).
3.Personal data of the natural person or sole trader (name, e-mail address, telephone number).To make an offer, to maintain contact.Creation of the contract (Article 6(1)(b) of the General Data Protection Regulation).If the offer is not accepted, it will be cancelled immediately and at the latest within 30 days.
4.Personal data (name, e-mail address, telephone number) of the contact person of the legal entity when requesting a tender.To make an offer, to maintain contact.Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).Without delay in the event of withdrawal of consent. If the offer is not accepted, it will be cancelled immediately and at the latest within 30 days.
5.Personal data obtained in the course of the contractual relationship in the case of a natural person, sole trader (name, address, e-mail address, telephone number).Performance of the contract.Fulfilment of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), followed by fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).Within 30 days of the expiry of the legal retention period (5 years).
6.Personal data (name, e-mail address, telephone number) of the contact person obtained in the course of a contractual relationship with a legal person.Performance of the contract, to maintain contact.Based on the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).In case of withdrawal of consent, without delay. Within 30 days after the termination of the contract, unless the law provides for an obligation to keep the contract (within 30 days after the expiry of the obligation).
7.Personal data (name, address, e-mail address, telephone number) provided when applying for a workshop or course.Performance of the contract, to maintain contact.Establishment of the contract, performance of the contractual obligation (Article 6(1)(b) of the General Data Protection Regulation).Within 30 days of the expiry of the legal retention period (5 years).
8.Personal data provided when applying for adult education.To fulfil the contract, maintain contact and provide data.Contractual legal basis (Article 6(1)(b) of the General Data Protection Regulation) and performance of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).The legal obligation to keep the data for 30 days (after 8 years).
9.Personal data on the invoice issued to the users of the service, customers (natural persons, sole traders).Fulfilling a legal obligation, issuing an invoice.Compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).The legal obligation to keep the data (within 30 days after 5 years).  In the case of adult education, 30 days after the end of the 8th year.
10.Data processing related to incoming emails (sender’s email address), telephone numbers.For the performance of a contractual obligation or on the basis of consent.Performance of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation) or the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).Within 30 days of the completion of the task or immediately after the withdrawal of consent, but no later than 30 days.
11.Personal data of suppliers, service providers and subcontractors (in the case of a natural person or sole trader).To fulfil a contractual obligation.Performance of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation).The legal obligation to keep the data for 30 days (5 years after the expiry of the legal obligation).
12.Personal data of contact persons of suppliers, service providers, subcontractors.To fulfil a contractual obligation.Based on the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).In case of withdrawal of consent, without delay. Within 30 days after the termination of the contract, unless the law provides for an obligation to keep the contract (within 30 days after the expiry of the obligation).
13.Personal data provided when subscribing to the newsletter (name, e-mail address).To send a newsletter.Based on the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).Immediately after the withdrawal of consent.
14.Personal data that have come to the attention of the data controller during the use of social networking sites.To promote our activities, services and products.Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).Immediately after the withdrawal of consent.
15.Personal data processing for winners of prize draws.To conduct the competition and draw, select and notify the winner, and deliver the prize.Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).Within 30 days of the expiry of the legal obligation to keep the data (5 years).
16.Images from photographs and videos of clients and workshop participants.Promotion of activities, services and products, use of footage on social networking sites and other media.Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).Without undue delay, but no later than 30 days after the withdrawal of consent.
17.Personal data collected in the course of complaint handling.To identify and address the complaint.Compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).Within 30 days of the expiry of the legal retention period (3 years).