I. The Data Controller
Your personal data is managed by Darabos Éva Egyéni Vállalkozó (hereinafter: Data Controller ) in accordance with the provisions of this Data Management Information.
Data controller:
Name: MűkörömAkadémia Kft
Headquarters: 1068 Budapest, Felsőerdősor utca 9. 2/7.
Tax number: 14174265-2-42
EU VAT number: HU 14174265
Email: [email protected]
II. Purpose, scope and modification of the Data Management Information
The data controller, as the operator of the website www.thenailcourse.com (hereinafter: Website ), hereby publishes the data of website visitors and users of services on the website (hereinafter collectively: data subjects ) for the management of the website and the provision of services related to the website. relevant information.
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Regulation 95/46/EC (hereinafter: the Regulation ) provides , that the Data Controller takes appropriate measures in order to provide the data subject with all information regarding the processing of personal data in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded, and that the Data Controller facilitates the exercise of the rights of the data subject. CXII of 2011 on the right to self-determination of information and freedom of information. Act (hereinafter: Infotv.) also prescribes.
We comply with this legal obligation by providing the information below. The information must be published on the company’s website or sent at the request of the person concerned. We only collect and process personal data in accordance with the law.
We store data as securely as possible, and we only transfer personal data to third parties with the consent of the data subject.
The Data Controller reserves the right to modify the Data Management Information in whole or in part at any time. The Data Management Notice and any amendments thereto shall enter into force upon publication and shall remain in effect as long as the Data Controller provides the services of the Website or amends the Data Management Notice. The date of publication and entry into force of this Data Management Notice: December 4, 2022.
We provide information to anyone about the data stored on them if they request this in writing to [email protected]
and deletion of personal data can also be requested at [email protected] .
The Data Controller hereby informs the visitors of the www.thenailcourse.com website about the personal data managed in connection with the operation and services of the Website, the person and data of the Data Controller, the principles and practices followed in the management of personal data, the transfer of data, the organizational and technical measures taken to protect personal data measures, as well as the manner and possibilities of exercising the rights of the persons concerned.
III. Interpretive concepts (infotv. § 3)
1. data subject: a natural person identified or identifiable on the basis of any information;
2.identifiable natural person: the natural person who can be identified directly or indirectly, especially on the basis of an identifier, such as name, identification number, location data, online identifier or one or more factors;
3. personal data: any information concerning the data subject;
4. special data: all data belonging to the special categories of personal data, i.e. personal data referring to racial or ethnic origin, political opinion, religious or worldview beliefs or trade union membership, as well as genetic data, biometric data aimed at unique identification of natural persons, health data and personal data relating to the sex life or sexual orientation of natural persons,
5. consent: the voluntary, definite and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates through a statement or other behavior that clearly expresses his will that he gives his consent to the processing of his personal data;
6. data controller: the natural or legal person or organization without legal personality who – within the framework defined by law or a mandatory legal act of the European Union – independently or together with others determines the purpose of the data management, the data management (including the used device) makes and implements relevant decisions, or has them implemented by the data processor;
7. joint data controller: the data controller who – within the framework defined by law or a mandatory legal act of the European Union – determines the purposes and means of data management jointly with one or more other data controllers, the decisions regarding data management (including the device used) or jointly with several other data controllers and carry out or carry out with the data processor;
8. data management: regardless of the procedure used, any operation performed on the data or the set of operations, including, in particular, collection, recording, recording, organization, storage, change, use, query, transmission, disclosure, coordination or connection, locking, deletion and destruction , as well as preventing the further use of the data, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person (e.g. fingerprint or palm print, DNA sample, iris image);
9. data transmission: making the data available to a specific third party;
10.indirect data transfer: the transfer of personal data to a data manager or data processor conducting data management in a third country or international organization to a data manager or data processor conducting data management in another third country or international organization;
11. disclosure: making the data available to anyone;
12. data deletion: rendering the data unrecognizable in such a way that its recovery is no longer possible;
13. restriction of data management: blocking the stored data by marking it for the purpose of limiting the further processing of the data;
14. data destruction: complete physical destruction of the data carrier containing the data;
15. data processing: the set of data processing operations performed by a data processor acting on behalf of or at the request of the data controller;
16. data processor: the natural or legal person or organization without legal personality who – within the framework and under the conditions defined by law or a mandatory legal act of the European Union – processes personal data on behalf of or at the direction of the data controller;
17. third party: a natural or legal person, or an organization without legal personality, who is not the same as the data subject, the data controller, the data processor or the persons who, under the direct control of the data controller or data processor, carry out operations for the processing of personal data they finish;
18.EEA state: a member state of the European Union and another state party to the Agreement on the European Economic Area , as well as the state whose citizen is the European Union and its member states, and on the basis of an international treaty concluded between a state that is not a party to the Agreement on the European Economic Area , the enjoys the same legal status as a citizen of a state party to the Agreement on the European Economic Area ;
19. third country: any state that is not an EEA state;
20. data protection incident: a breach of data security that results in the accidental or unlawful destruction, loss, modification, unauthorized transmission or disclosure of personal data transmitted, stored or otherwise handled, or unauthorized access to them;
21. recipient: the natural or legal person or organization without legal personality to whom the data manager or data processor makes personal data available;
IV. Basic principles ( Infotv . § 4)
Personal data may only be processed for a clearly defined, lawful purpose, in order to exercise a right and fulfill an obligation. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal.
Only personal data that is essential for the realization of the purpose of data management and suitable for achieving the purpose can be processed. Personal data can only be processed to the extent and for the time necessary to achieve the purpose.
During data management, personal data will retain its quality as long as the relationship with the data subject can be restored. The relationship with the data subject can be restored if the data controller has the technical conditions necessary for restoration.
During data management, the accuracy, completeness and, if necessary, the up-to-dateness of the data must be ensured, as well as that the data subject can only be identified for the time necessary for the purpose of the data management.
In the course of data management, appropriate security of personal data must be ensured by applying suitable technical or organizational measures, especially those that create protection against unauthorized or illegal processing, accidental loss, destruction or damage.
The processing of personal data shall be considered fair and lawful if, in order to ensure the freedom of expression of the data subject, the person who wishes to know the opinion of the data subject visits the data subject at his residence or place of residence, provided that the personal data of the data subject are handled in accordance with the provisions of this law and the personal inquiry is not for business purposes is aimed at. Personal inquiries cannot be made on a holiday according to the Labor Code .
V. The legal basis for data management (Article 6, paragraph (1) of the Regulation, Infotv. § 5. (1), Elker tv. 13/A § (1)-(5), XLVIII tv. 6. of 2008 § (1) para.)
Regulation Article 6 (1): The processing of personal data is legal only if and to the extent that at least one of the following is fulfilled:
a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;
b) data processing is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract;
c) data management is necessary to fulfill the legal obligation of the data controller;
d) data processing is necessary to protect the vital interests of the data subject or another natural person;
e) data processing is in the public interest or is necessary for the execution of a task performed in the context of the exercise of public authority delegated to the data controller;
f) data management is necessary to enforce the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence over these interests, which require the protection of personal data, especially if the data subject is a child.
Infotv. Section 5 (1): Personal data can be processed if
a) it is ordered by law or – based on the authority of the law, in the scope defined therein, in the case of data that is not classified as special data or criminal personal data – a local government decree for a purpose based on public interest,
b) in the absence of what is specified in point a), it is absolutely necessary for the performance of the duties of the data controller defined by law and the data subject has expressly consented to the processing of personal data,
c) in the absence of what is specified in point a), it is necessary and proportionate to protect the vital interests of the affected person or another person, as well as to prevent or prevent a direct threat to the life, physical integrity or property of persons, or
d) in the absence of what is specified in point a), the personal data has been expressly made public by the data subject and it is necessary for the realization of the purpose of the data management and is proportionate to it.
CVIII of 2001 on certain issues of electronic commercial services and services related to the information society. Act (hereinafter referred to as Elker law ) 13/A. Based on paragraphs (1)-(5) of §
(1) The service provider may process the natural personal identification data and residential address necessary for the identification of the user for the purpose of creating a contract for the provision of services related to the information society, defining its content, modifying it, monitoring its performance, invoicing the resulting fees, and validating related claims.
(2) For the purposes of invoicing the fees from the contract for the provision of services related to the information society, the service provider may process the natural personal identification data related to the use of services related to the information society, address, as well as data regarding the time, duration and place of the use of the service.
(3) In addition to the provisions of paragraph (2), the service provider may process the personal data that is technically absolutely necessary for the provision of the service for the purpose of providing the service. If the other conditions are the same, the service provider must choose and in any case operate the tools used in the provision of services related to the information society in such a way that personal data is only processed if this is absolutely necessary for the provision of the service and the fulfillment of other objectives defined in this law necessary, but also in this case only to the extent and for the necessary time.
(4) The service provider shall use data related to the use of the service for any purpose other than those specified in paragraph (3) – in particular to increase the efficiency of its service, to deliver electronic advertising or other addressed content addressed to the user, for the purpose of market research – only with the prior determination of the purpose of data management and can be managed based on the user’s consent.
(5) Before using the information society-related service and during the use of the service, the user must continuously ensure that he can prohibit data processing according to paragraph (4).
- TV XLVIII of the year Section 6 (1)
- § (1) If a separate law does not provide otherwise, advertising by the method of directly contacting a natural person as the recipient of the advertisement (hereinafter: direct business acquisition), so in particular by means of electronic correspondence or other equivalent means of individual communication – with the exception specified in paragraph (4) – it can only be disclosed if the recipient of the advertisement clearly and specifically consented to it in advance.
VI. The rights of those concerned
The data subject has the right to, in accordance with the conditions set out in this Act, in relation to his personal data managed by the data controller and the data processor acting on its behalf or on its instructions
a) receive information about the facts related to data management before the start of data management (hereinafter: right to prior information),
b) at your request, the data controller will make your personal data and the information related to their management available to you (hereinafter: right of access),
c) at your request, as well as in the additional cases specified in this chapter, your personal data may be corrected or supplemented by the data controller (hereinafter: right to correction),
d) at his request, as well as in the additional cases specified in this chapter, the processing of his personal data is restricted by the data controller (hereinafter: the right to restrict data processing),
e) at your request, as well as in other cases specified in this chapter, your personal data will be deleted by the data controller (hereinafter: right to deletion).
VII. Validation of certain rights of the affected parties
VII.1. Right to prior information
VII.1.1. Name of Data Controllers and data processors
Name of the Data Controller: (see point I)
Data processor: the natural or legal person, public authority, agency
or any other body that processes personal data on behalf of the data controller
(Article 4.8 of the Regulation, and see: Section III.16). The use of the data processor does not require the prior consent of the data subject, but information is required. Accordingly, we provide the following information:
The Data Controller’s IT service provider
The Data Controllers use an external service for the maintenance and management of the Website, which provides the IT services (hosting services, operation of the web store interface) and in this context – for the duration of their contract with them – manages the
personal data provided on the website. The operation it performs: storing personal data on the server
Company name: OVH Hosting Limited Enterprise
Vat number: 9520632R 2620Z
Company registration number: 468585
Email: [email protected]
Office: House O’Brien road, Carlow R93Y0Y3
When using the www.thenailcourse.com website, it is possible to name additional data processors:
- Meta Platforms Ireland Ltd., facebook.com GDPR: https://www.facebook.com/policy.php/ (action performed by it: posting posts, comments)
- Meta Platforms Ireland Ltd., instagram.com GDPR: https://www.facebook.com/policy.php/ (action performed by it: posting posts, comments)
- Google Analytics: googleanalytics.com GDPR: https://analytics.google.com/analytics/web/provision/#/provision (action performed by: web analytics)
- WordPress: wordpress.com GDPR: https://automattic.com/privacy/ (activity performed by him: website building)
- Woo Commerce woocommerce.com GDPR: https://automattic.com/privacy/ (activity carried out by: webshop construction)
- Billingo: billingo.hu GDPR: https://www.billingo.hu/adatkezelesi-tajekoztato (operation performed by it: management of electronic invoicing program)
VII.1.2. Individual data management
CUSTOMER RELATIONSHIP
| Scope of processed personal data: | Purpose of data management: |
| Name | Identification, Contact, Fulfillment of contracts, Realization of business goal |
| E-mail address | Identification, Contact, Fulfillment of contracts, Realization of business goal |
| Phone number | Identification, Contact, Fulfillment of contracts, Realization of business goal |
Scope of stakeholders: All stakeholders who are in contact with the data controller by phone/e-mail/contact form or in person, or who have a contractual legal relationship.
Duration of data management: Data management lasts until the termination of the legal relationship between the data controller and the data subject or, in the case of claims, 5 years after the conclusion of the contract.
Legal basis for data management: Article 6 (1) b) and c) of the Regulation, and Infotv. Section 5, paragraph (1), point b).
Data management is necessary to fulfill a contract in which the data subject is one of the parties, or to take steps at the request of the data subject prior to the conclusion of the contract. Data management is necessary to fulfill the legal obligation of the data controller.
The data management is absolutely necessary for the fulfillment of the duties of the data controller defined by law and the data subject has expressly consented to the processing of personal data.
PURCHASES THROUGH THE WEBSITE
| Scope of processed personal data: | Purpose of data management: |
| Full name, email address, billing address, (company name, optional) | Smooth execution of purchases through the Websites |
Scope of stakeholders: All stakeholders who purchase via the Website.
Duration of data management: Data management lasts until the termination of the legal relationship between the data controller and the data subject, or 5 years after the contract in the case of complaints and claims.
Accounting documents are an exception, since according to § 169 (2) of Act C of 2000 on accounting, these data must be kept for 8 years. The accounting documents directly and indirectly supporting the bookkeeping (including ledger accounts, analytical and detailed records) must be kept in legible form for at least 8 years, in a way that can be retrieved by reference to the accounting records.
Legal basis for data management: Article 6 (1) b) and c) of the Regulation, and Infotv. § 5, paragraph (1) b) and the Elker tv. 13/A. Paragraphs (1)-(5) of §
Data management is necessary to fulfill a contract in which the data subject is one of the parties, or to take steps at the request of the data subject prior to the conclusion of the contract.
Data management is necessary to fulfill the legal obligation of the data controller.
OPINION AND COMMENTARY/COMMENT
| Scope of processed personal data: | Purpose of data management: |
| Username and/or NameImage (if available)EvaluationEvaluation text | Development and promotion of services, documentation of evaluations, differentiation of visitors/customers. |
Scope of stakeholders: All stakeholders who write/publish comments/comments and opinions.
Duration of data management: Until withdrawal of consent. Consent can be withdrawn at any time, but this does not affect the lawful data processing that preceded it.
Legal basis for data management: Consent of the data subject, Article 6 (1) point a) of the Regulation
Website visitors have the opportunity to evaluate the services, as well as write their opinions in several places and comment on a topic. This is done through the options created for this (website comment/comment, Facebook/Instagram comment, Google review),
In case of consent, the following data may be made public or used for marketing purposes: date, time, username and/or name, the evaluation, as well as the text of the evaluation, image (if any).
In the case of comments/recommendations on Facebook, Instagram, Google and other social media sites, data management is carried out on the social media sites, so the duration and method of data management, as well as the options for deleting and modifying data, are governed by the regulations of the respective social media site.
During individual data management, the Data Controller shall comply with VII.1.1. can transmit data to the data processors listed in point
VII.1.3. Cookie – Cookie management
This Cookie Policy (hereinafter: cookie ) contains the cookie conditions for the use of the website operated by www.timarvirag.hu as a service provider (“Service Provider”). When designing the Website, we paid attention to the regulations regarding the further use of cookies. Regarding this use, we have taken into account the following regulations and use them in accordance with them:
- Act C on electronic communications
- year CVIII Act on certain issues of electronic commercial services and services related to the information society
- year CXII. Act on the right to self-determination of information and freedom of information
Please read the document carefully and use my service only if you agree with all its points and accept them as binding for you (hereinafter: User ). Please note that this policy only applies to cookie management on the given Website. If you click on an external link on the website, you should also find and read that website’s own policy.
The cookie
The meaning of a cookie is: files or pieces of information that your internet browser has downloaded from our website and stores on your computer. With the help of these cookies, the server computer storing the materials of our website recognizes when you return to our website that you have already visited our website.
Most internet browsers accept cookies by default. If you think so, you can adjust your browser to refuse cookies or to warn you that cookies have been sent to your machine. Our website uses such cookie files to provide certain functions or simply for convenience reasons. The cookies we use do not load, slow down or cause damage to your computer.
The website also uses cookies from third parties. Cookies can be deleted and disabled from browsers. Cookies can also be disabled. You can find information about these settings on the browser’s official website.
What is the purpose of cookies?
We use these technologies for several purposes, for example to display the most relevant content or advertisement for the User; to further develop our products and services; and to maintain the security of our services. The exact name of the cookies, pixels and other similar technologies we use may change from time to time as the services are developed and updated.
How are cookies created?
First, the client machine sends a request to the server. The server then creates a unique identifier and stores it in its own database, then returns the cookie created in this way with all the information to the client. The information cookie thus returned is stored on the client machine.
How are cookies used?
When the client machine contacts the server again, it already attaches the previously created and stored cookie. The server compares the content of the cookie it receives and the one it stores. This allows you to easily identify e.g. the registered user.
What cookies do we use?
Several types of cookies are used, but each website uses different types. Our website usually only uses the following, but during development, it may happen that we also use new types in addition to the previous ones.
Sessional/Transitional cookie:
these cookies are only temporarily stored in the temporary memory for as long as the user navigates the page. When the user closes the browser, the cookie is deleted. These cookies do not contain personal data and are not suitable for identifying the visitor.
Stored/Persistent cookie:
these are the cookies that are used every time the user visits the site. Based on the type of cookies, we can use them as follows.
Analytics/Analysis:
this shows where you went on the website, what products you looked at, and what you did. Depending on the lifetime of the cookie, it remains on the client machine. It can be used by functions such as Google Analytics or Youtube. These cookies do not contain personal data and are not suitable for identifying the visitor.
Social networks:
allows you to easily access social media networks, share your opinion and information about our products with others. may be used by third-party functions such as Facebook, Twitter, Google+, Pinterest or Youtube. These cookies may contain personal data and are suitable for visitor identification.
Media:
with these, you can, for example, watch videos on the site. It is used by third-party features such as Youtube. These cookies do not contain personal data and are not suitable for identifying the visitor.
Functional:
this shows whether the user has already visited the site and with what device he did so. It remembers the user name, password, selected language, location information. These cookies may contain personal data and are suitable for visitor identification.
Advertising:
with the help of these, I can send the user information and newsletters according to his interests. These cookies may contain personal data and are suitable for visitor identification.
For information on the types of cookies and a full description of their functions, visit www.allaboutcookies.org .
How are cookies managed?
In different ways, but the client has the possibility to set his browser in different ways regarding the management of cookies. In general, there are three ways to configure browsers as follows:
Accept all cookies
Decline all cookies
Request notification of each cookie use
Regarding cookie settings, it is worth looking around the “Options” or “Settings” menu of your browser, or using the “Help” menu of your search engine. The following websites can help you with the settings of the most frequently used browsers.
Internet Explorer
Firefox
Chrome
It is important to note that the website was created with cookie management. If the client partially or completely disables their use, it may prevent the website from functioning. If this happens, there may be functions and services that you will not be able to use in whole or in part.
We use cookies even if the User does not have a registered account or if he has logged out of the account. For example, if the User has logged out of their account, we use cookies to facilitate the following:
identification and blocking of spammers’ accounts
account recovery in the event that access is lost
providing additional security features such as login notifications and login approvals
preventing the registration of minors with a false date of birth
displaying, selecting, evaluating, measuring and interpreting advertisements displayed on the site and elsewhere (including advertisements displayed by or on behalf of our affiliates or partners)
compiling analytical information about people who interact with our services and the websites of our advertisers and partners.
In order to protect the services and its users against malicious activities, we place cookies even if the User does not have an account registered, but has visited our Website. For example, these cookies help us detect and prevent service interruption attacks and the mass creation of fake accounts.
If there are cookies in the browser or on the device, we can read the cookie when you visit a website with a social module. The operator of those pages is responsible for cookies created by social websites (Facebook, Twitter, LinkedIn, GooglePlus), which can be found on the website of the given social website.
VII.2. The right to access (Infotv. § 16)
(1) In order to assert the right to access, upon request, the data controller shall inform the data subject whether his personal data is being processed by the data controller himself or by a data processor acting on his behalf or at his direction.
(2) If the data subject’s personal data is managed by the data controller or by a data processor acting on its behalf or at its direction, the data controller shall, in addition to what is specified in paragraph (1), make available to the data subject the data subject’s personal data managed by it and by the data processor acting on its mandate or at its direction, and tells him
a) the source of the processed personal data,
b) the purpose and legal basis of data management,
c) scope of personal data handled,
d) in the case of the transmission of processed personal data, the scope of the recipients of the data transmission, including third-country recipients and international organizations,
e) the duration of the retention of processed personal data, the criteria for determining this duration,
f) a description of the rights to which the data subject is entitled under this Act, as well as the method of enforcing them,
g) in case of profiling, its fact and
h) the circumstances of data protection incidents arising in connection with the management of the personal data of the data subject, their effects and the measures taken to deal with them.
(3) The data controller may limit or deny the enforcement of the data subject’s right to access in proportion to the goal to be achieved, if this measure is absolutely necessary to secure an interest defined in § 16, subsection (3), points a) -f) .
(4) In the event of the application of the measures set out in subsection (3), the data controller shall inform the data subject in writing without delay
a) on the fact of restricting or denying access, as well as on the legal and factual reasons, if making them available to the data subject does not endanger the enforcement of an interest defined in points a ) -f) of Section 16, subsection (3) , and
b) about the rights to which the data subject is entitled based on this law, as well as the manner of enforcing them, so in particular that the data subject can exercise his right to access with the cooperation of the Authority.
VII.3. Right to rectification (infotv. § 18)
(1) In order to assert the right to rectification, if the personal data managed by him or by a data processor acting on his behalf or at his direction are inaccurate, incorrect or incomplete, he shall, especially at the request of the data subject, clarify or correct them without delay, or if the is compatible with the purpose of data management, supplemented by additional personal data provided by the data subject or by a statement attached to the personal data processed by the data subject (hereinafter together: correction).
(2) The data controller shall be exempted from the obligation specified in paragraph (1) if
a) accurate, correct or complete personal data are not available to you and the data subject does not make them available to you, or
b) the authenticity of the personal data provided by the data subject cannot be established beyond doubt.
(3) If the data controller corrects the personal data processed by him or by a data processor acting on his behalf or at his direction, as defined in paragraph (1), he shall inform the data controller to which he forwarded the personal data affected by the correction of the fact and of the corrected personal data. .
VII.4. Right to restriction (Article 19 of Infotv)
(1) In order to enforce the right to limit data processing, the data controller limits data processing to the data processing operations specified in paragraph (2),
a) if the data subject disputes the accuracy, correctness or completeness of the personal data processed by the data controller or by the data processor acting on his behalf or on his instructions, and the accuracy, correctness or completeness of the processed personal data cannot be established beyond doubt, for the duration of the clarification of the existing doubt,
b) if, as defined in point a) of § 20 , the data should be deleted, but based on the written statement of the data subject or the information available to the data controller, it can be reasonably assumed that the deletion of the data would harm the legitimate interests of the data subject, the existence of a legitimate interest justifying the non-deletion for the duration of
c) if, as defined in point a) of § 20 , the data should be deleted, but it is necessary to preserve the data as evidence in the course of investigations or procedures defined by law – especially criminal proceedings – carried out by or with the participation of the data controller or other body performing public duties, this until the final or final conclusion of an investigation or procedure,
d) if, as defined in point a) of § 20 , the data should be deleted, but it is necessary to preserve the data in order to fulfill the documentation obligation contained in § 12, paragraph (2), 25/F. until the date specified in § (4).
(2) During the period of limitation of data processing, the data controller, or the data processor acting on the basis of the data controller’s mandate or instructions, shall perform other data processing operations in addition to storage solely for the purpose of asserting the legitimate interests of the data subject or as required by law, international treaty, or the mandatory legal provisions of the European Union may perform as specified in the act.
(3) In the case of termination of the data management restriction specified in point a) of paragraph (1), the data controller shall inform the data subject in advance of the lifting of the data management restriction.
VII.5. Right to erasure (Infotv. § 20)
In order to enforce the right to deletion, the data controller shall immediately delete the personal data of the data subject if
a) the data management is illegal, so especially if the data management is
aa) contrary to the basic principles laid down in § 4,
ab) its purpose has ceased, or the further processing of the data is no longer necessary for the realization of the purpose of the data processing,
ac) the period defined by law, international treaty or a binding legal act of the European Union has passed, or
ad) its legal basis has ceased and there is no other legal basis for processing the data,
b) the data subject withdraws his consent to data management or requests the deletion of his personal data, unless the data management is based on point a) or c) of paragraph (1) of Section 5 or point b) of paragraph (2),
c) the deletion of the data was ordered by legislation, a legal act of the European Union, the Authority or the court, or
d) the period specified in points b) -d) of § 19, paragraph (1) has passed.
VIII. Legal remedy ( infotv . § 22)
In order to enforce his rights, the data subject
a) the Authority may initiate an investigation for the purpose of examining the legality of the data controller’s action, if the data controller complies with IV. restricts the enforcement of its rights specified in point or rejects its request for the enforcement of these rights, as well as
b) you can request the conduct of the official data protection procedure of the Authority if, in your opinion, the data manager, or the data processor acting on the basis of his or her mandate, violates the regulations regarding the handling of personal data, as defined in legislation or in a binding legal act of the European Union, during the processing of your personal data.
National Data Protection and Freedom of Information Authority 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf: 5.
Telephone: +36 13911400
Fax: +3613911410
E-mail: [email protected]
IX. Judicial enforcement (Infotv. § 23)
(1) The data subject may go to court against the data controller or – in connection with the data processing operations within the scope of the data processor’s activity – the data processor, if, in his opinion, the data controller or the data processor entrusted by him or acting on the basis of his instructions has used his personal data in accordance with the law on the management of personal data or it is handled in violation of the regulations defined in the mandatory legal act of the European Union.
(2) That the data management complies with the regulations regarding the handling of personal data, defined in legislation or in a mandatory legal act of the European Union – thus, especially in the case of data management falling within the scope of § 2, subsection (3), § 4 (1) -(4a ) – meets the basic requirements, the data manager or the data processor is obliged to prove.
(3) The person concerned may, at his or her choice, also initiate the lawsuit before the competent court based on his or her place of residence.
(4) A party may also be a party to the lawsuit who otherwise does not have legal capacity to litigate. The Authority can intervene in the lawsuit in order to win the case for the person concerned.
(5) If the court approves the claim, it establishes the fact of the violation and the data manager or the data processor
a) to terminate the illegal data processing operation,
b) to restore the legality of data management, or
c) to demonstrate precisely defined behavior to ensure the enforcement of the rights of the data subject
obligates and, if necessary, decides at the same time on the demand for compensation and damages.
(6) The court may order the publication of its judgment – by publishing the identification data of the data controller or data processor – if the judgment affects a wide range of persons, if the defendant is a data controller or data processor performing a public function, or if the gravity of the infringement justifies the disclosure. .
X. Compensation and damages (Infotv. § 24)
(1) If the data controller, or the data processor entrusted by it or acting on its instructions, violates the regulations regarding the handling of personal data, defined in legislation or in a mandatory legal act of the European Union, and thereby causes damage to others, it is obliged to compensate it.
(2) If the data controller, or the data processor entrusted by it or acting on the basis of its instructions, violates the regulations regarding the handling of personal data, as defined in legislation or in a binding legal act of the European Union, and thus infringes another person’s right to privacy, the person whose privacy right has been violated shall, from the data controller , and may demand damages from the data processor he has commissioned or acted on the basis of his instructions.
(3) The data controller shall be released from responsibility for the damage caused and from the obligation to pay damages if it proves that the damage or the violation of privacy rights was caused by an unavoidable cause outside the scope of data management.
(4) The data processor is exempted from responsibility for the damage caused and from the obligation to pay damages if it proves that during the data processing operations carried out by it, the obligations specifically imposed on the data processors, defined in legislation or in a binding legal act of the European Union, relating to the processing of personal data, and acted in compliance with the lawful instructions of the data controller.
(5) The data controller and the data processor acting on the basis of its mandate or instructions, as well as the joint data controllers and the data processors entrusted by them or acting on the basis of their instructions, caused by the violation of the regulations regarding the handling of personal data, as defined in the law or in the binding legal act of the European Union
a) they are jointly and severally liable for damage to the affected person, and
b) they are jointly and severally obliged to pay the damages due in the event of a violation of personal rights to the person concerned.
(6) The damage does not have to be compensated and no damages can be claimed if the damage resulted from the intentional or grossly negligent behavior of the injured party or the violation of the right to privacy.
XI. Data security ( Infotv . § 25/I.)
(1) In order to ensure the appropriate level of security of the personal data handled, the data controller and the data processor shall take technical and organizational measures adapted to the extent of the risks posed by the data management, especially those associated with the management of the special data of the data subjects, to the enforcement of the basic rights of the data subjects.
(2) During the design and implementation of the measures specified in paragraph (1), the data manager and the data processor take into account all the circumstances of data management, in particular the current state of science and technology, the costs of implementing the measures, the nature, scope and goals of data management, and the risks of variable probability and severity posed by data processing for the enforcement of the rights of the data subjects.
(3) Within the scope of the data controller and activities, the data processor ensures the measures specified in paragraph (1).
a) denial of access by unauthorized persons to the devices used for data management (hereinafter: data management system),
b) preventing the unauthorized reading, copying, modification or removal of data carriers,
c) preventing unauthorized entry of personal data into the data management system, as well as unauthorized access, modification or deletion of personal data stored therein,
d) preventing the use of data management systems by unauthorized persons via data transmission equipment,
e) that persons authorized to use the data management system only have access to personal data specified in the access permit,
f) that it can be verified and determined to which recipient the personal data has been transmitted or may be transmitted, or has been or may be made available, via data transmission equipment,
g) that it can be subsequently checked and determined which personal data was entered into the data management system, at which time, and by whom,
h) preventing the unauthorized access, copying, modification or deletion of personal data during their transmission or during the transport of the data carrier,
i) that the data management system can be restored in the event of a malfunction, as well as
j) that the data management system is functional, that a report is prepared on errors occurring during its operation, and that the stored personal data cannot be changed by operating the system incorrectly.
(4) In order to protect the data files managed electronically in the various registers, the data manager or the data processor in the field of activity ensures with an appropriate technical solution that the data stored in the registers cannot be directly linked and assigned to the data subject, unless permitted by law.
XII. Final word
During the preparation of the information, we paid attention to the following legislation:
– CXII of 2011 Act – on the right to self-determination of information and freedom of information (hereinafter: Infotv.)
– CVIII of 2001 Act – on certain issues of electronic commercial services and services related to the information society (mainly § 13/A)
– XLVIII of 2008 Act – on the basic conditions and certain limitations of economic advertising (especially § 6.a)
– Act C of 2003 on electronic communications (specifically § 155.a)
– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL