General Data Protection Regulation - the Hungarian manual is authoritative

1. Data controller

Data controller: Reszler Klaudia (Reszler Klaudia e.v.)

Seat: 1158 Budapest, Neptun u. 13/b

Site: 1076 Budapest, Péterfy Sándor u. 22.

Tax nr: 59775683-1-42

Website: https://rkslowbeautysalon.hu

Email: k.reszler.work@gmail.com

Telephone: +36 30 528 6834, +36 30 4580504

 

2. Relevant general legislation on which processing is based

➢ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR or General Data Protection Regulation)

➢ Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act)

3. Definitions

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data includes: name, address, date and place of birth, mother’s name.

 

Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person, which give unique information concerning his physiology or state of health, and which result from the analysis of a biological sample taken from that natural person.

 

Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

 

Data concerning health: personal data concerning the physical or mental health of a natural person, including data relating to the provision of health care services to a natural person, which reveal information about that natural person’s state of health.

 

File filing system: a set of personal data structured in any way, whether centralised, decentralised, or functional or geographically available, which can be accessed according to specific criteria.

 

Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

 

Pseudonymisation: processing of personal data in such a way that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately, and technical and organisational measures are taken to ensure that the personal data are not attributed to an identified or identifiable natural person;

 

Data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

 

Data processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

 

Recipient: a natural or legal person, public authority, agency, or any other body, to which the personal data are disclosed, whether a third party or not.

 

Third party: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

Consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

 

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

Supervisory authority: an independent public authority established by a Member State in accordance with Article 51 of the GDPR, such as the National Authority for Data Protection and Freedom of Information in Hungary.

 

4. Principles

The Data Controller considers the following principles when processing personal data, such as:

  1. Processing lawfully, fairly and in a transparent manner in relation to the data subject  

(‘legality, fairness and transparency’); b. collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered incompatible with the initial purpose in accordance with Art. 89 para. 1 GDPR (“purpose limitation”); c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may only be stored for a longer period if the personal data will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR, subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of data subjects (‘storage limitation’); f. processed in such a way as to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). g. The controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).

 

5. Legal bases for data processing

The Data Controller shall process personal data if at least one of the following conditions is met:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; 
  3. processing is necessary for compliance with a legal obligation to which the controller is subject; 
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person; 
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child.

 

6. Data processing activities

 

  1. Data processing related to invoicing

 

Personal data processed 

Purpose of data processing: issuing an invoice to an individual

Data: customer name, address

➢ Legal basis for data processing: Section 159 (1) of Act CXXVII of 2007 on Value Added Tax (VAT Act)

➢ Duration of data processing: Act C of 2000 on Accounting (Accounting Act) 8 years under Section 169(1)

 

  1. Data processing related to the performance of services

Personal data processed 

Purpose of data processing: to document the services that can be performed (indications, contraindications) and performed for health purposes (e.g. in case of possible allergies), consent.

Data: data on client data sheet, painter book, massage consent form

Personal information necessary for the performance of the service (it is possible to refuse to provide information, only data to which the customer has given consent will be stored)

Legal basis for data processing: Article 6 (1) (b) of the GDPR, performance of the contract to be concluded based on the Civil Code.

Duration of data processing: 5 years according to Section 6:22 of the Civil Code

 

7. Access to and transfer of data

Personal data may be accessed by the Data Controller, the respective accountant and, in case of any health problem, the designated doctor to perform their duties.

The Data Controller transfers the personal data processed by it to other state bodies only in the manner and for the purpose specified by law. For example, if the police or prosecutor’s office contacts the Data Controller and requests the transmission of documents containing the given personal data for the investigation.

The Data Controller uses a Data Processor during data processing. The Data Processors do not make independent decisions, they are only entitled to act in accordance with the contract concluded with the Data Controllers and the instructions received. The Data Controller only uses Data Processors that implement appropriate technical and organizational measures to guarantee a level of data security appropriate to the degree of risk. The specific tasks and responsibilities of the Processor are governed by the contract between the Data Controller and the Processor.

 

The Data Controller uses the following Data Processors in the course of its data processing activities:

  • accounting tasks (only for electronically issued documents)

 

  1. Data security measures

The Data Controller stores personal data on the servers of the server service provider (in case of electronic invoicing). The Data Controller shall take appropriate IT, technical and personal measures to protect the personal data managed by it against, among other things, unauthorized access or unauthorized alteration. For example, access to data stored in the IT system is logged, i.e. it is always possible to check who, when and what personal data has been accessed.

 

  1. Rights related to data processing

➢ Right to request information The data subject may request information from the Data Controller in writing through the contact details provided in Section 1 on:

 

  • what personal data,
  • on what legal basis,
  • for what purpose of data processing,
  • from what source,
  • how long he treats,
  • to whom, when, on what legal basis, to which personal data did the Data Controller grant access or to whom it transferred its personal data. The Data Controller shall comply with the request of the data subject within a maximum of one month and by sending a letter to the contact details provided by you.

 

➢ Right to rectification the data subject may request in writing through the contact details provided in Section 1 that the Data Controller modify any of his/her personal data (for example, he/she may change his/her e-mail address or other contact details at any time). The Data Controller shall comply with the request within a maximum of one month and notify it by sending a letter to the contact details provided by you.

 

➢ Right to erasure the data subject may request the erasure of his/her personal data from the Data Controller in writing using the contact details provided in Section 1. The Data Controller shall reject the request for erasure if the Data Controller is obliged by law to further store the personal data. However, if there is no such obligation, the Data Controller shall process the data subject’s request within a maximum of one month and send it to the contact details provided by the data subject.

 

➢ Right to blocking (restriction of processing) The data subject may request in writing through the contact details provided in Section 1 that his or her personal data be blocked by the Data Controller (by clearly indicating the restricted nature of data processing and ensuring separate processing from other data). The blocking lasts as long as the reason indicated by the data subject requires the storage of the data. The data subject may request the blocking of the data, for example, if he or she believes that his or her submission has been unlawfully handled by the Data Controller, but for the purposes of the official or judicial proceedings initiated by him, it is necessary that the submission is not deleted by the Data Controller. In this case, the Data Controller will continue to store the personal data (e.g. the given submission) until the authority or court requests it, after which it will delete the data.

 

➢ Right to object the data subject may object to data processing in writing through the contact details provided in Section 1 if the Data Controller would transmit or use the personal data for the purpose of public opinion research or scientific research. For example, you may object to the use of personal data for scientific research purposes without the consent of the Data Controller.

 

  1. Possibility of enforcing rights related to data processing 

In the event of a breach of his or her right to the protection of his or her personal data, the data subject shall have the right to seek legal remedy from the following Authority:

 

National Authority for Data Protection and Freedom of Information (NAIH)

address: Budapest, Szilágyi Erzsébet fasor 22c, 1125

1530 Budapest, Pf.: 5.

Tel: +36 (1) 391-1400

website: www.naih.hu

email: ugyfelszolgalat@naih.hu

 

Initiation of court proceedings: if the data subject experiences the unlawfulness of the processing of his or her personal data, he or she may initiate a civil action against the Data Controller. The trial falls within the jurisdiction of the tribunal. The action may also be brought before the court of the place of residence of the data subject, at the choice of the data subject (you can consult the contact details of the tribunals via the following link: https://birosag.hu/torvenyszekek)

 

  1. Update and availability of the Privacy Policy

The Data Controller reserves the right to unilaterally amend this Privacy Policy. This notice may be amended if it is necessary due to changes in legislation, data protection authority practices, business needs or newly discovered security risks. At the request of the data subject, the Data Controller shall send the data subject a copy of the information in force at any time, in a form agreed with the data subject.

 

  1. General information about cookies

By accessing the website (https://rkslowbeautysalon.hu ), if this is permitted by the browser settings used by you (the visitor), the website may automatically save information about your computer or browsing device (tablet, smartphone, portable smart devices) or place so-called computer cookies or other similar programs on it for this purpose.

 

What is a cookie?

Cookies are small data files that are placed on the visitor’s computer by the operator of a website during and using the website, and which are saved and stored by the visitor’s internet browser downloaded from the website. A cookie is therefore a means of exchanging information between a web server and the user’s browser. In case of a later visit, the operator can use the cookie to identify the visitor, distinguish him from other users, or even send customized information in the browser window.

Cookies can store a wide variety of information, including personally identifiable information (such as name, address, email address or phone number). However, this is only information that you provide to the website, information that the user does not want to provide is not sent to the website, nor can they access files stored on the computer.

It is also important to note that cookies cannot run, do not contain spyware or viruses, and cannot access users’ hard drives.

 

What does the website use cookies for?

In general, cookies or similar programs facilitate the use of the website, help the website to provide visitors with a real web experience and an efficient source of information, and provide the website operator with the control of the operation of the site, prevent abuse and provide the services provided on the site smoothly and at an appropriate level.

 

What types of cookies can you encounter on the website?

The cookies available on websites generally fall into two categories.

  • Session cookies: This cookie is absolutely necessary for the provision of an information society service explicitly requested by the user, and the cookie is linked to the user’s activity (such as session cookies that help customize the user interface).

You can find more information about other cookies used here: 

  • The cookies in this group are valid only for your current visit, so if you close your browser, these cookies are automatically deleted or stored on your computer for a very short time.

If these cookies are used, it is sufficient for the website operator to provide prior information to visitors using its website.

  • Cookies whose purpose or function goes beyond the operation of the website:

These cookies are mostly cookies from third parties (e.g. Google) that record data about the user’s Internet use and other marketing purposes or help record and analyse traffic data (statistical cookies).

The lifetime of cookies in this group varies, there are cookies that live until the end of browsing and cookies that live for up to 2 years. You can delete cookies at any time as described in paragraph VI.

In the case of cookies belonging to this group, the website operator usually has to obtain the visitor’s consent to the use of cookies beforehand.

 

Cookies used by google.com

Google uses these cookies to better match the ads we show you to your personal interests.

You can find more information about the types of cookies used by Google at the following link: https://policies.google.com/technologies/cookies?hl=hu 

You can find information about the data management and privacy policy related to the use of cookies used by Google at the following link: https://policies.google.com/privacy?hl=hu 

 

Cookies used by Google: https://policies.google.com/technologies/cookies?hl=hu#types-of-cookies 

Name of cookie Function and purpose of use Expiry date (lifetime)

1P_JAR This cookie collects anonymous website statistics and measures conversions.              1 month

CONSENT This cookie is necessary for the functional operation of Google maps.     20 years

SSID These cookies are cookies that collect information about visitor behavior from multiple websites and are used by Google to optimize the relevance of advertisements on the website. For example, these cookies are used by Google to remember your recent searches, past interactions with individual advertisers’ ads or search results, and visits to advertisers’ websites.

APISID and SAPISID, for example, are Google plus “like” and share-related cookies.

HSID and SID are used to store digitally signed and encrypted information about the user’s Google Account ID and the last sign-in time.

DV and UULE cookies help Google identify how users visit websites.        2 years

NID This cookie contains a unique identifier that allows Google to remember preferences and other information used by you, such as your preferred language. This helps Google show you tailored ads.  6 months

SIDCC This is a Google security cookie used to protect user information from unauthorized access.           181 days

We do not use cookies to identify you personally. These cookies are only used for the purposes described above.

  • Purpose of data processing by cookies

We use cookies on our website primarily to ensure the availability of the website, the services and functions provided by the website, and to facilitate and simplify the use of the website in connection with all this. The purpose of data processing related to cookies is also to identify and distinguish visitors, to identify the current session of visitors, to store the data provided during it, and to prevent data loss. Cookies do not contain personal information and cannot be used to identify an individual user.

 

  • Legal basis for data processing

The legal basis for data processing in the case of cookies defined in point 1 of paragraph III of this notice is the legitimate interest of the controller pursuant to Article 6 (1) (f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Therefore, in this case, the consent of the data subject is not required for data processing either, only appropriate information must be provided to him, and personal data may only be processed to the extent necessary and proportionate to achieve the purpose, for the minimum time necessary (which in the case of session cookies means the end of the browsing session, i.e. browser closure).

The legal basis for data processing in the case of cookies specified in Section III, Section 2 of this Policy is the consent of the data subject pursuant to Article 6 (1) (a) of the GDPR, having regard to Section 155 (4) of Act C of 2003 on Electronic Communications.

 

  • How can you manage and delete cookies?

Most internet browsers accept and allow the placement and use of cookies by default. At the same time, cookies can be rejected, their use restricted or disabled, and cookies that have already been stored can be deleted by the appropriate settings of your browser.

Cookies can therefore be deleted or disabled in the browser used. You can also set the browser to notify you when a cookie is sent to the device.

The settings options are usually located in the “Options” or “Settings” menu item in the browser. Each browser is different, so please use your browser’s “Help” or “Help” menu or the following links (appropriate for your browser) to change your cookie settings for the appropriate settings:

Edge

Mozzila Firefox

Google Chrome

Safari

  • What happens if you delete or disable cookies?

Some cookies are strictly necessary for the proper functioning of certain services, so disabling or refusing the use of cookies or deleting cookies already stored may result in the website not being fully functional and some of their functions may not be used properly by the visitor concerned.

Scroll to Top