DATA MANAGEMENT
INFORMATION
www.bodywax.hu Valid: 12.06.2023. from date until withdrawal
Georgina Tóth (headquarters: 1094 Budapest, Viola utca 35. building: FSZ door: 7 tax number: 45510807-1-43, email: info@bodywax.hu) fulfills her obligations related to data management within the framework of this data management information.
Introductory provisions, the purpose of the information The Data Controller records in this Data Management Information Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the management of personal data and on the free flow of such data, and the
CXII of 2011 on the repeal of Regulation 95/46/EC (hereinafter: GDPR) and on the right to information self-determination and freedom of information. in order to implement the provisions of the Act (hereinafter: Infotv.), the governing rules related to data protection, the related procedure, expressing the respect and protection of the basic principles defined in the decree.
The data controller recognizes the content of this information as binding. The
The purpose of the Data Management Notice is to inform the Data Controller's customers, partners, and principals regarding the management of their personal data. The data manager only handles personal data in accordance with the legal provisions in force at all times and in strict compliance with their provisions, taking into account the basic principles contained in Article 5 of the GDPR:
- principle of legality, fair procedure and transparency,
- the principle of purposefulness,
- the principle of saving data,
- the principle of accuracy,
- the principle of limited storage capacity.
The Data Controller is committed to protecting the personal data of the data subjects, and considers it of utmost importance to respect the data subjects' right to self-determination. The recorded personal data is handled confidentially in accordance with data protection legislation.
In addition to all of this, it takes all technical and organizational measures that guarantee the safe preservation of data. The data is protected by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.
The personal, material and temporal scope of the Data Management Notice:
The personal scope of this Data Management Notice covers the Data Controller, as well as the natural persons whose data is included in the data processing covered by this Notice, as well as the persons whose rights or legitimate interests are affected by the data processing.
Concept definitions:
Personal data: any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.
Special categories of personal data: personal data referring to racial or ethnic origin, political opinion, religious or worldview beliefs or trade union membership, as well as genetic and biometric data aimed at the unique identification of natural persons, health data and the sex life or sexual orientation of natural persons personal data.
Data management: regardless of the procedure used, any operation or set of operations performed on personal data or data files in an automated or non-automated manner, including in particular the collection, recording, organization, segmentation, storage, transformation or change, querying, viewing, use, transmission of personal data , distributing or otherwise making available, harmonizing or connecting, limiting, deleting or destroying.
Data transmission: making the data available to a specific third party.
Disclosure: making the data available to anyone.
Data deletion: rendering data unrecognizable in such a way that their recovery is no longer possible.
Registry system: a file of personal data divided in any way - centralized, decentralized or according to functional or geographical aspects - which is accessible based on specific criteria.
Data manager: who determines the goals and means of data management - independently or together with others.
Data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.
Data subject: any natural person identified or - directly or indirectly - identified on the basis of personal data.
Addressee: the natural or legal person, public authority, agency or any other body with or to which the personal data is communicated, regardless of whether it is a third party.
Third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data manager, the data processor or the persons who have been authorized to process personal data under the direct control of the data manager or data processor.
The consent of the data subject: the voluntary, specific and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates through an unmistakably expressive act of declaration or confirmation that he gives his consent to the processing of his personal data.
Data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled.
E-mail: (Electronic mail) electronic mail. Its name refers to the method of writing and transmission, which takes place entirely electronically with the help of computer networks.
Internet: the Internet (Internetworking System) is a worldwide network of computer networks (so-called meta-network) that spans the entire Earth, connecting governmental, military, commercial, business, educational, research, and other institutions, as well as individual users.
Web page, Website, Web portal, Homepage: an electronic interface suitable for displaying and communicating information, which are typically located on servers connected to the Internet (Web server). These pages have a unique address (link), which can be entered in a browser application to navigate to the given page. The technology of the Websites enables forward and backward jumps between individual content elements and links (hypertext).
Cookies: program component for creating the convenience functions of websites. There are two basic types. One is stored on your own machine, the other is stored on the server side, so-called session cookie. From the point of view of data management, the management of session cookies must be regulated. Websites must inform and declare visitors about the use of cookies.
Electronic newsletter: electronic mail, transactional, advertising or other campaign information sent to the e-mail address of persons subscribed to an address list, typically created automatically and sent by an application designed for this purpose.
Legal bases and purposes of data management
Personal data can only be processed legally in the following cases and to the extent that at least one of the following is fulfilled according to Article 6 of the GDPR:
the data subject has given his consent to the processing of his personal data for one or more specific purposes;
the data processing is necessary for the fulfillment of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract;
data management is necessary to fulfill the legal obligation of the data controller;
data processing is necessary to protect the vital interests of the data subject or another natural person;
the data management is in the public interest or is necessary for the execution of a task performed in the context of the exercise of a public authority granted to the data controller;
data processing is necessary to enforce the legitimate interests of the data controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.
The Data Controller must examine the legality of data management in all phases of its activity, and may only process such data and to the extent that it can prove its purpose and legal basis. If the condition of the legal basis ceases, data processing is only legal in the future if it can prove another legal basis, failing which the data must be deleted.
Operation of the website
The server and hosting provider: Rackhost Zrt.
Address: Tisza Lajos körút 41, 6722 Szeged.
The server and hosting provider stores the personal data it has acquired, but is not entitled to use them.
Information about cookies used on the website
Cookies are files that are created by websites you visit. By saving browsing data, they facilitate online navigation. Cookies allow websites to:
they can keep you logged in;
they can remember your website preferences;
they can offer you locally relevant content.
However, some cookies expire when the website is closed, and some have a longer expiration date.
Legal background of cookies:
The legal background of data management is GDPR, Infotv. and electronic commerce services, as well as CVIII of 2001 on certain issues of services related to the information society. are the provisions of the law.
Legal basis for cookies:
The legal basis for data management in the case of session cookies is Article 6 (1) point f) of the GDPR, in the case of other cookies (e.g. security, analytical) Article 6 (1) point a) of the GDPR, and Infotv. Your consent in accordance with Section 5 (1) point a).
We inform you that the data subject uses cookies on the website of the Data Controller
in connection with his acceptance, he declares that he has turned 16. Persons under the age of 16 may not declare acceptance or rejection of cookies used by the website. Based on Article 8 (1) of the GDPR, the consent of your legal representative is required for the validity of your legal declaration containing your consent to data processing. The data controller has no way to check the consenting person's age and eligibility, so the data subject guarantees that the data provided corresponds to reality.
The website uses the following cookies:
XSRF-TOKEN: Basic cookie used for security reasons.
bSession cookie: Basic cookie used to measure system efficiency. Expiration time: 30 minutes.
_wix_browser_sess: basic cookie used for system monitoring and debugging.
Expiry date: 3 months. _wix-CIDX: Basic cookie used for system monitoring and debugging. Expiry date: 3 months.
consent-policy: used for basic cookie, cookie-banner parameters. Expiry date: 12 months.
hs: basic cookie used for security reasons. Expires: end of session.
svSession: basic cookie used during user login. Expiry date: 1 year.
Deleting cookies
You can delete the cookies placed by the website at any time from your device using your browser. You can find a detailed description of how to delete and manage cookies in the help of the specific browser. You can also use your browser to block cookies or request a notification every time your browser receives a new cookie. Blocking cookies can technically hinder the use of our website. If you do not accept the use of cookies, certain functions will not be available to you.
Contact, inquiry, request a quote via the website
The Data Controller allows the interested party to contact him at any of the contact details provided on the website, or to send him a message via the contact form on the website. The data provided will be used solely for the purpose of maintaining contact with the interested party.
The following personal data must be entered in the contact form:
- name
- telephone
- message
The purpose of data management is for the website operator to establish contact with interested parties and provide them with a price offer.
Legal basis for data management:
In the event of an inquiry or request for information, data processing is based on voluntary consent based on Article 6 (1) point a) of the GDPR. In the case of a price offer, based on Article 6 (1) point b) of the GDPR, data processing is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract.
Duration of data management:
The personal data provided will be processed for different periods depending on the nature of the contact.
In the event of an inquiry or contact, the data will not be stored by the Data Controller after providing the necessary information, unless a claim can be legally asserted in the case of occasional contact, in which case it will be kept for a maximum of 5 years for the purpose of verification.
In the case of providing a price offer, the data retention period is the existence of the binding offer, which is referred to in the Civil Code. 6:64-69. § are governing. If a business relationship is established, the data must be kept for 8 years based on § 169 (2) of the Accounting Act.
Data management related to the Facebook page
The operator of the website also promotes and explains the service it provides through its social media page, as well as offers the opportunity to contact via Messenger. The Data Controller treats the personal data obtained through the Facebook page as confidential, and uses it exclusively for maintaining contact with the data subject, answering questions, and providing price offers.
The purpose of data management is to promote, advertise and provide information to interested parties.
Legal basis for data management:
Pursuant to Article 6 (1) point a) of the GDPR, it is based on voluntary consent, which must be considered given when the data subject likes, follows the page, comments on posts, or contacts the site operator in the form of a message. With regard to the production and publication of photographs, the legal basis for data management is Article 6, Paragraph 1, Point a) of the GDPR, in view of the Civil Code. to the provisions of §§ 2:42 and 2:48.
Joint data controller: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The operator of the site does not assume responsibility for its previous pages that have already been deleted, but were still archived with the help of Internet search programs. The operator of the search page must ensure that they are removed.
You can read more about Facebook's data management by clicking on the link below:
https://www.facebook.com/privacy/explanation.
Data management related to the Instagram page
The operator of the website also promotes and explains the service it provides through its social media page, as well as offers the opportunity to contact via Messenger. The Data Controller treats the personal data obtained through the Instagram page as confidential, and uses it exclusively for maintaining contact with the data subject, answering questions, and providing price offers.
The purpose of data management is to promote, advertise and provide information to interested parties.
Legal basis for data management:
Pursuant to Article 6 (1) point a) of the GDPR, it is based on voluntary consent, which must be considered given when the data subject likes, follows the page, comments on posts, or contacts the site operator in the form of a message. Regarding the preparation and publication of photographs, the legal basis for data management is Article 6 (1) point a) of the GDPR, in view of the Civil Code. to the provisions of §§ 2:42 and 2:48.
Joint data controller: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The operator of the site does not assume responsibility for its previous pages that have already been deleted, but were still archived with the help of Internet search programs. The operator of the search page must ensure that they are removed.
You can read more about Instagram data protection by clicking on the link below:
https://help.instagram.com/519522125107875.
Data management related to the references displayed on the website
The Data Controller reports on its website about its satisfied guests as references, with the express, voluntary and influence-free consent of the person concerned. The Data Controller pays particular attention to ensuring that the content of personal opinions, experiences, and recommendations published on the website does not violate the privacy rights or legitimate interests of others.
The purpose of data management:
Promotion of services, advertising and providing information to interested parties, as well as displaying individual references.
Legal basis for data management:
It is based on voluntary consent (GDPR) according to Article 6 (1) point a).
Scope of processed data:
- name
- photograph
- opinion
Duration of data management: Until the data subject's consent is revoked or the content is deleted from the Data Controller's website.
The operator of the site does not assume responsibility for its previous pages that have already been deleted, but were still archived with the help of Internet search programs. The operator of the search page must ensure that they are removed. Data management related to appointment booking
On its website, the Data Controller provides interested parties with the opportunity to book treatment at available times through the website.
The purpose of data management:
Fulfillment of the ordered service, issuance of invoice, retention of the invoice, fulfillment of tax obligations, maintaining contact, obligation to provide information according to the contract, provision of data to bodies defined by law.
Legal basis for data management:
With regard to the provision of a price offer and reservation of treatment, in the case of the fulfillment of a contract based on Article 6 (1) point b) of the GDPR, and in the case of adding guest data to the account: § 165 of Act C of 2000 on accounting, § 165 of Act C of 2007 on general sales tax. year CXXVII Act § 196, as well as the Civil Code. Fulfillment of the cooperation and information obligation contained in § 6:62.
Scope of processed data:
- name of affected person,
- bank card/credit card in case of card payment,
Duration of data management:
Accounting documentation must be kept for 8 years based on § 169 (1) of the Accounting Act. Contact data will be kept until the contract is fulfilled, but no later than December 31 of the year following the completion of the contract.
Legal basis for data transmission:
Fulfillment of a legal obligation based on GDPR Article 6 (1) point c) with regard to the provisions of § 9/H of the CLVI Act of 2016.
Data protection incident
In the absence of appropriate and timely measures, a data protection incident can cause physical, financial or non-financial damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or identity abuse, financial loss, unauthorized removal of pseudonyms, damage to reputation, damage to the confidential nature of personal data protected by the obligation of professional confidentiality, or other significant economic or social disadvantage affecting the natural persons in question.
It must be ensured that all appropriate technological protection and organizational measures have been implemented, on the one hand, in order to immediately establish a data protection incident, and on the other hand, to notify the supervisory authority and notify the data subject urgently. It must be determined whether the notification was made without undue delay, especially taking into account the nature and severity of the data protection incident, as well as its consequences and adverse effects on the data subject. Notification to the supervisory authority may result in its intervention in accordance with its duties and powers defined in this regulation.
Notification of the data protection incident to the supervisory authority
The data controller shall report the data protection incident to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.
After becoming aware of the data protection incident, the data processor shall notify the data controller without undue delay.
In the notification, at least:
a) the nature of the data protection incident must be described, including – if possible – the categories and approximate number of those affected, as well as the categories and approximate number of data affected by the incident;
b) the data protection officer or other person providing additional information must be notified
contact name and contact details;
c) the likely consequences of the data protection incident must be described;
d) the steps taken or planned by the data controller to remedy the data protection incident must be described
measures, including, where applicable, measures aimed at mitigating any adverse consequences resulting from a data protection incident.
If and to the extent that it is not possible to provide the information at the same time, it can be provided later in parts without further undue delay.
The data controller keeps records of data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it. This register enables the supervisory authority to verify compliance with the requirements of this Article.
The obligation to inform the data subject according to Article 34 of the GDPR If the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay. In the information given to the person concerned, clearly and
the nature of the data protection incident must be clearly explained, and at least the information and measures mentioned in points b), c) and d) of Article 33 (3) of the GDPR must be communicated.
The data subject does not need to be informed if any of the following conditions are met:
a) the data controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the use of encryption - that would be unintelligible to persons not authorized to access personal data they make the data;
b) after the data protection incident, the data controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph (1) is unlikely to materialize in the future;
c) providing information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects. If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to involve a high risk, may order the data subject to be informed or establish that one of the above-mentioned conditions has been met.
The rights of the data subject according to the GDPR:
In connection with data management, through the Data Controller:
you can request information about data management and request access to the data processed in relation to you, in case of inaccurate data, you can request correction or completion of incomplete data, you can request the deletion of data processed on the basis of your consent, the personal may object against the processing of data, you can use the right of data portability you can request the restriction of data management.
On the basis of the information request of the data subject - if it is not subject to restrictions due to a legally defined interest - you can find out whether your personal data is being processed by the data controller and you are entitled to receive information about the data being processed about you - for what purpose - what authorizes you to process the data (legal basis), - from when and for how long will you process the data (duration), - what data will you process and make a copy of them available to the data subject, - about the recipients of the personal data and the categories of recipients, - to a third country or international on transmission to the organization, - on the rights of stakeholders related to data management, - on legal remedies. The employer, as data controller, will respond to requests for information and access within 30 days at the latest. The controller may charge a reasonable fee based on the administrative costs for additional copies of the personal data processed by the data subject requested by the data subject. In some cases, the data controller may refuse to provide information on the basis of legal authority, for example in order to prevent or prosecute crimes, in which case the response includes the legal provision that grounds the refusal to provide information and information about the possibility of legal remedies.
In the case of a request to correct (change) the data, the data subject must substantiate the reality of the data requested to be changed, and must also prove that the person entitled to change the data is indeed requesting the change. If it is not clear whether the processed data is correct or accurate, then the data manager does not correct the data, but only marks it, i.e. indicates that the data subject has objected to it, but it is not necessarily incorrect. After confirming the authenticity of the request, the data controller will correct inaccurate personal data without undue delay, and supplement the data affected by the request. The data controller will notify the data subject of the correction or marking. The data controller will comply with your request to restrict data processing if one of the following is met:
the data subject disputes the accuracy of the personal data, in this case the limitation applies to the period that allows the data controller to check the accuracy of the personal data,
the data management is illegal and the data subject opposes the deletion of the data, instead requesting the restriction of their use,
the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; or against the data management relating to it.
If the data is subject to restrictions, personal data, with the exception of storage, can only be:
with the consent of the person concerned,
to submit, enforce or defend legal claims,
to protect the rights of other natural or legal persons, or
it can be handled in the important public interest of the European Union or a member state. The data controller informs the data subject in advance of the lifting of the limitation of data management.
Legal remedy
If the data subject considers that the data management conflicts with the provisions of the GDPR, or if he considers the way the data controller handles his personal data to be harmful, then it is advisable to contact the data protection officer, if the data controller does not employ a data protection officer, in that case, seek the representative of the company at with his complaint. In all cases, the complaint will be investigated. If, despite the response to your complaint, you still complain about the way the police data management body handles your data, or if you want to contact the data protection authority directly, you can file a report with the National Data Protection and Freedom of Information Authority (1055 Budapest, Falk Miksa u. 9-11, 1363 Budapest. Pf. 9.) In order to protect your data, you have the option to go to court, which will act out of turn in the case. In this case, you can decide whether to submit your claim at the court of your place of residence (permanent address) or your place of residence (temporary address) (https://birosag.hu/torvenyszekek). You can find the court of your place of residence or residence at https://birosag.hu/birosag-kereso.
If the Data Controller finds that the legal provisions on data management have been violated, or that one of your requests has not been fulfilled, your personal data will be managed by Meta Platforms Ireland Ltd., (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). For this reason, the Irish data protection authority is entitled to act in this case, so you should contact the Irish Data Protection Commission (21 Fitzwilliam Square, South Dublin 2, D02 RD28, Ireland) with your complaint.