Privacy Policy
The purpose of this Privacy Policy is to provide data subjects (clients, prospective clients, and visitors to this website) with information about data processing, as well as their rights and legal remedies, prior to the commencement of any data processing.
I. Name and Contact Details of the Data Controller
Name of the Data Controller: Csúcsteljesítmény Kft. (hereinafter: Data Controller)
Registered address: 1223 Budapest, Kőbányai utca 8.
Tax number: 27181821-2-43
Company registration number: 01 09 387438
Contact details of the Data Controller:
Postal address: 1223 Budapest, Kőbányai u. 8.
Email address: info@martongabor.hu
Website: www.martongabor.hu
II. Definitions
Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Data Subject: the identified or identifiable person to whom the Personal Data relates. If your data is being processed, you are a data subject!
Data Processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Filing System: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
Data Processing (by processor): all data processing activities carried out by the Data Processor on behalf of the Data Controller.
Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third Party: a natural or legal person, public authority, agency or body other than the data subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Data Processor, are authorised to process personal data.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Data Protection Laws: the GDPR and all other EU or Member State laws relating to data processing.
Supervisory Authority: an independent public authority established by a Member State pursuant to Article 51 of the GDPR.
Special Category Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Biometric Data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Cross-border Processing of Personal Data: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
III. Purposes, Legal Bases, Scope of Personal Data Processed, and Retention Periods
Purpose of data processing: Data processing must comply with its stated purpose at every stage.
Data processing must be fair and lawful.
The purpose of data processing also affects the scope of data processed, as personal data may only be processed in a manner that is limited to the purposes for which it was collected and only to the extent and for the duration necessary to achieve those purposes.
The legal bases for data processing may be as follows:
- The data subject (e.g., you) has given consent. Consent may be given for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject (e.g., you) is a party.
- Processing is necessary prior to entering into the contract, at the request of the data subject (e.g., you).
- Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject (e.g., you) or of another natural person.
- Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.
An exception applies where such legitimate interests are overridden by the interests or fundamental rights of the data subject (e.g., you) which require protection of personal data. In particular, this applies where the data subject is a child.
Special category data may be processed in the cases set out in Data Protection Laws, and also when the data subject gives written consent to its processing.
Retention period: As a general rule, the Data Controller is obliged to erase all personal data:
- where the purpose of processing has ceased;
- where the sole legal basis for processing is the data subject’s (e.g., your) consent, and the data subject has withdrawn that consent;
- where there is no legal basis for the processing;
- where the data is not necessary for the fulfilment of a legal obligation;
- where the data is not necessary for the assertion of the Data Controller’s vital or legitimate interests (subject to the above restrictions).
The Data Controller may process your data for the following purposes (the legal basis, scope of data processed, and retention period are indicated alongside each purpose):
Note: In the case of natural person contact persons of legal entities, regardless of the legal basis indicated below, the basis for data processing is the joint legitimate interest of the Data Controller and the legal entity in maintaining contact.
Contacting the Data Controller
Category | Details |
Scope of data processed | Name, phone number or email address, content of the message. |
Legal basis | Your consent. |
Purpose | The listed data are necessary for the Data Controller to respond to you. |
Source of data | Provided by you (as the person initiating contact). |
Retention period | Data will be deleted following contact with you, unless further processing takes place as described below. |
Consequence of refusal | You will be unable to contact the Data Controller. |
Providing Quotations to Interested Parties
Category | Details |
Scope of data processed | Name, phone number, email address, postal address; in the case of a legal entity, the name, phone number and email address of the natural person contact. |
Legal basis | Necessary for taking steps prior to entering into a contract. |
Purpose | Sending a business quotation in response to your request. |
Source of data | Provided by you (as the person requesting the quotation). |
Retention period | Data will be deleted after the offer period expires, if no contract is concluded. |
Consequence of refusal | The Data Controller will be unable to provide you with a quotation. |
Entering into Contracts / Placing Orders
Category | Details |
Scope of data processed | Identification data; in the case of a sole trader, their registration number and tax number; contact details (postal address, email, phone number); in the case of a legal entity, the name and contact details of the natural person contact; data related to payment for the service/product (e.g., bank account number, name of account-holding bank). |
Legal basis | Necessary for taking steps to enter into a contract; and legal obligation, as current accounting laws require the Data Controller to retain contracts/invoices. |
Purpose | Entering into a contract with you, or recording your order. |
Source of data | Provided by you (as the contracting party/customer). |
Retention period | Data will be deleted after the period prescribed by applicable accounting laws (at the time of issuing this policy: 8 years after termination of the contract). Contact details of individual clients and natural person contacts of legal entity clients may be deleted upon request after contract performance, provided all obligations have been fulfilled. If no contract is concluded, data collected will be deleted after the offer period expires. |
Consequence of refusal | The Data Controller will be unable to enter into a contract with you or record your order. |
Operating a Facebook Page
Category | Details |
Scope of data processed | As a Facebook user, the Data Controller can see the list of people who liked or follow the page, and by clicking on their profiles, can see their public profile information. |
Legal basis | By clicking the ‘Like’ or ‘Follow’ button on the Data Controller’s Facebook page, you consent to receiving the Data Controller’s news and offers on your own feed. |
Purpose | The Data Controller maintains a page on Facebook. The purpose is to increase brand awareness, publish marketing advertisements, and promote competitions. |
Source of data | Data becomes accessible through your actions (liking, following, posting, etc.). |
Retention period | The connection with the Data Controller on Facebook ends when you click ‘Unfollow’ or ‘Unlike’. |
Consequence of refusal | You will not receive automatic notifications from Facebook about new content posted by the Data Controller. |
For information about Facebook’s own data processing, please refer to the Privacy Policy available at www.facebook.com or https://www.facebook.com/privacy/explanation. Facebook may continue to process data related to your activities on the Data Controller’s Facebook page after you have unfollowed it. The Data Controller disclaims any liability for Facebook’s own processing of data related to your activities on the Data Controller’s Facebook page, as it has no control over such processing.
Operating an Instagram Page
Category | Details |
Scope of data processed | As an Instagram user, the Data Controller can see the list of followers and those who liked posts, and by clicking on profiles, can see their public information. |
Legal basis | By clicking ‘Like’ or ‘Follow’ on the Data Controller’s Instagram page, the data subject consents to receiving the Data Controller’s news and offers on their own feed. |
Purpose | The Data Controller maintains a page on Instagram. The purpose is to increase brand awareness, publish marketing advertisements, and promote competitions. |
Source of data | Data becomes accessible through your actions (liking, following, posting, etc.). |
Retention period | The connection ends when you click ‘Unfollow’ on the Data Controller’s Instagram page. |
Consequence of refusal | You will not receive automatic notifications from Instagram about new content posted by the Data Controller. |
For information about Instagram’s own data processing, please refer to its privacy policy. Instagram may continue to process data after you unfollow the Data Controller’s page. The Data Controller disclaims any liability for Instagram’s own data processing related to your activities on the Data Controller’s Instagram page.
Operating a LinkedIn Page
Category | Details |
Scope of data processed | As a LinkedIn user, the Data Controller can see the list of followers and those who liked posts, and by clicking on profiles, can see their public information. |
Legal basis | By clicking ‘Like’ or ‘Follow’ on the Data Controller’s LinkedIn page, you consent to receiving the Data Controller’s news and offers on your own feed. |
Purpose | The Data Controller maintains a page on LinkedIn. The purpose is to increase brand awareness, publish marketing advertisements, and promote competitions. |
Source of data | Data becomes accessible through your actions (liking, following, posting, etc.). |
Retention period | The connection ends when you click ‘Unfollow’ or ‘Unlike’ on the Data Controller’s LinkedIn page. |
Consequence of refusal | You will not receive automatic notifications from LinkedIn about new content posted by the Data Controller. |
For information about LinkedIn’s own data processing, please refer to its privacy policy at https://www.linkedin.com/legal/privacy-policy. LinkedIn may continue to process data after you unfollow the Data Controller’s page. The Data Controller disclaims any liability for LinkedIn’s own data processing related to your activities.
Operating a YouTube Channel
Category | Details |
Scope of data processed | As a YouTube user, the Data Controller can see the list of subscribers and those who liked videos, and by clicking on profiles, can see their public information. |
Legal basis | By clicking ‘Subscribe’ on the Data Controller’s YouTube channel, the data subject consents to receiving the Data Controller’s news and offers. |
Purpose | The Data Controller maintains a channel on YouTube. The purpose is to increase brand awareness, publish marketing content, and promote competitions. |
Source of data | Data becomes accessible through your actions (liking, subscribing, posting, etc.). |
Retention period | The connection ends when you unsubscribe from the Data Controller’s YouTube channel. |
Consequence of refusal | You will not receive automatic notifications from YouTube about new content posted by the Data Controller. |
For information about YouTube’s (Google’s) own data processing, please refer to https://policies.google.com/privacy. Google/YouTube may continue to process data after you unsubscribe. The Data Controller disclaims any liability for Google/YouTube’s own data processing related to your activities.
Webshop Registration
Certain services on the Data Controller’s website (e.g., purchasing educational materials) can only be accessed with registration.
Category | Details |
Scope of data processed | Email address, username, password, name, address, phone number, shipping and billing information; if bank transfer is selected as payment method, the name of your bank and bank account number; and data related to the ordered product/service. Please note that for card payments, card data is entered directly within the OTP Simple payment provider’s system and is not processed by the Data Controller. |
Legal basis | Necessary for the performance and conclusion of a contract / placement of an order. Contact data is processed based on the legitimate interest of both parties in maintaining contact. |
Purpose | For concluding a contract (contact data for communication). |
Source of data | Provided by you during registration. |
Retention period | Until deletion of the registration or withdrawal of consent, if no purchase has been made. If a product/service was previously ordered, billing data must be retained in accordance with applicable accounting laws. If registration is deleted before an order has been placed, billing data retention obligations still apply where applicable. |
Consequence of refusal | You will not be able to use all services offered through the website. |
Technical data processed for the operation of the webshop: The system automatically logs technical data generated during service use (e.g., data from the connecting computer). Such technical data cannot be linked to other personal data except as required by law.
For the OTP Simple payment system operated by OTP Mobil Kft., please refer to their data processing notice.
Website Visitor Data (Cookies)
Some cookies on the website collect anonymised statistical data, while others are capable of building a visitor profile. Detailed information is provided in Annex 2. Users are informed about cookie use via a clearly visible notice on the website, with a link to detailed information. Cookies are stored on your computer by your browser. Most browsers accept cookies by default, but you can reject, disable, or delete them via your browser settings.
Category | Details |
Scope of data processed | Some cookies collect anonymised statistical data; others can be used to build a visitor profile. Information stored by cookies may include: type of device used to visit the website, browser information, information entered on the website, advertisements viewed, time spent on subpages, browsing data, exit data, etc. Detailed information is in Annex 2. |
Legal basis | Legitimate interest of the Data Controller. |
Purpose | Some cookies are necessary for the proper functioning of the website; others collect anonymised statistical data or data suitable for building personal profiles. |
Source of data | Collected by cookies based on your browsing habits and transmitted to the Data Controller. |
Retention period | Cookies are automatically deleted 13 (thirteen) months after being downloaded. They can also be manually deleted from the browser (see Annex 2 for details). |
Consequence of refusal | You will not be able to use all services offered through the website. |
Conducting Webinars
Category | Details |
Scope of data processed | As the webinar host, the Data Controller can see the list of participants. Participants’ images and statements are visible to other participants if they contribute to the webinar. |
Legal basis | Your consent as a data subject. |
Purpose | Conducting webinars. |
Source of data | Provided by you. |
Retention period | Data is not stored. |
Consequence of refusal | You will not be able to participate in the webinar. |
Newsletter and Personalised Newsletter
The following cases are not considered newsletters: where email addresses are used primarily for identification purposes (e.g., during registration or ordering), for payment, or for maintaining contact during service delivery. Additionally, the Data Controller may send notifications about changes to its services or general terms and conditions electronically.
Category | Details |
Scope of data processed | Email address, name. For personalised newsletters: also your needs, habits, and preferences shared with the Data Controller during your relationship. The Data Controller may analyse these to send personalised newsletter content. |
Legal basis | Your consent. |
Purpose | To send you business offers and marketing content by email (and for personalised newsletters, offers tailored to your interests). |
Source of data | Provided by you. |
Retention period | Until withdrawal of consent. If you have another relationship with the Data Controller beyond the newsletter (e.g., a previous purchase), the Data Controller may continue to process your data for accounting purposes after unsubscription, but will not send further newsletters. Unsubscribing from the newsletter does not constitute a request to delete your webshop registration. The Data Controller commits to processing withdrawal of consent or unsubscriptions within 5 business days. |
Consequence of refusal | The Data Controller will be unable to send you information about offers and promotions. |
Other Non-Newsletter Marketing Communications
Processing related to sending advertising and marketing messages is separate from processing required for the delivery of products and services. This includes: direct mail; outbound promotional phone calls; marketing SMS messages; marketing emails; preparation of promotional materials, etc.
Category | Details |
Scope of data processed | Identification data (e.g., name), contact details (postal address, email, phone number); in the case of a legal entity, the name and contact details of the natural person contact. |
Legal basis | Your consent. |
Purpose | To send you business offers and marketing messages by email. |
Source of data | Provided by you. |
Retention period | You may withdraw your consent at any time if you no longer wish to receive marketing messages. Consents and withdrawals are recorded by the Data Controller. |
Consequence of refusal | The Data Controller will be unable to send you information about offers and promotions. |
Photo and Video Recording at Events
The Data Controller frequently takes photos or videos at its own events, conferences, group trainings, and educational sessions. Recordings are primarily focused on the Data Controller or co-presenters, and not on participants. Participants are usually filmed from behind. However, participants may become identifiable if they face the camera, ask a question, join the presenter in the speaking area, or a group photo is taken.
Category | Details |
Scope of data processed | Participant’s image and possibly voice, if they speak. |
Legal basis | Legitimate interest of the Data Controller. |
Purpose | To showcase events, presentations, and the Data Controller’s presentation skills; to indicate the number of participants; and to provide an authentic image of the Data Controller’s activities. |
Source of data | Provided by you through your attendance at the event. |
Retention period | You may withdraw consent at any time if you no longer wish to appear in marketing materials. Consents and withdrawals are recorded. |
Consequence of refusal | You will be unable to attend the Data Controller’s events where recordings are made. However, even if you attend, you may request not to appear in recordings, or that recordings featuring you be deleted, not published, or published in a way that makes you unidentifiable. |
Complaint Handling
Category | Details |
Scope of data processed | Identification data (e.g., name), contact details (postal address, email, phone number); in the case of a legal entity, the name and contact details of the natural person contact; name of the service used; name of the product purchased; date of service use/purchase; subject of the complaint and action taken. |
Legal basis | Complaint data is provided voluntarily; however, retention of complaint documentation is a legal obligation under Section 17/A of Act CLV of 1997 on Consumer Protection. |
Purpose | Complaint handling. |
Source of data | Provided by you; the Data Controller also reviews relevant data during investigation. The written response to the complaint originates from the Data Controller. |
Retention period | Data will be deleted 5 years after the complaint is investigated. Anonymised data not traceable to an individual may be used for statistical purposes thereafter. |
Consequence of refusal | You will be unable to submit a complaint to the Data Controller. |
Debt Collection and Legal Enforcement of Claims
Any data transfer is made to lawyers; no debt collection agency is engaged.
Category | Details |
Scope of data processed | Identification data (e.g., name, residential address, sole trader’s registered address; sole trader’s ID number and tax number), contact details (postal address, email, phone number — which may also be obtained from public databases in debt collection cases); in the case of a legal entity, the name and contact details of the natural person contact; contract/order date, ID number, and value; payment data (e.g., bank account number, name of bank); details of late payment or non-payment (payment deadlines, amounts overdue, payment demands sent, etc.). |
Legal basis | Legitimate interest of the Data Controller in receiving payment for services/products provided. |
Purpose | To contact clients who are late or failing to pay. To identify and record clients with overdue debts; to ensure fair, lawful and contractual procedures; to assist clients experiencing temporary financial difficulties; and to enforce legal claims. This applies to the Data Controller, as well as any lawyer, enforcement officer, notary, court, or other party involved in the enforcement process. |
Source of data | Some data (e.g., identification and contact details) is provided by you; some arises from the contract/order; payment defaults and demands are recorded by the Data Controller. |
Retention period | Data subject to accounting laws will be deleted after the period prescribed by applicable laws. Other data is subject to the retention periods described above. Enforcement officers, notaries, courts and lawyers must delete data after the period prescribed by applicable laws. |
Please note that there is an important distinction between data processing for the purpose of service delivery and marketing data processing. Marketing consent may be withdrawn at any time and marketing data must be erased from marketing records. However, data processed in connection with service delivery (or related purposes such as debt collection) may be retained even after withdrawal of consent in cases prescribed by law or where the Data Controller’s legitimate interest persists, as deletion in those cases could prevent the performance of valid contracts or compliance with legal obligations.
IV. Sources of Data
Data is collected from the data subject (i.e., from you).
The data of a natural person contact of a legal entity may also be provided by another contact person or representative of that legal entity.
V. Data Processing Operations and Persons Authorised to Access Data
Data processing operations may include: collection, recording, use, disclosure or otherwise making data available, restriction, erasure and destruction.
Data may be accessed by employees of data processors and by those to whom personal data are transferred pursuant to your consent or by operation of law.
Where the Data Controller co-organises events or training sessions with another business, that business may qualify as a Joint Data Controller, who is authorised (to the extent necessary) to access data collected in connection with the organisation of the event. The existence of a joint data controller will always be apparent from the event announcement and will also be communicated at the event.
VI. Data Transfers
A data transfer means making personal data available or transferring it to a third party (see the definition of ‘Recipient’ in the Definitions section).
The Data Controller will only disclose or transfer personal data in accordance with and to the extent permitted by Data Protection Laws. Personal data may be transferred where:
- You have consented (e.g., for marketing data transfers);
- It is necessary for the performance of a contract concluded with you or in order to take steps at your request prior to entering into a contract;
- Data Protection Laws permit or require it (e.g., in response to requests from supervisory authorities, courts, or police);
- In limited circumstances, where the Data Controller’s legitimate interest permits (e.g., legal enforcement of claims).
In debt collection and legal claim enforcement cases, the Data Controller may engage an external legal expert (lawyer). Access to data is limited to employees of data processors involved in the collection process.
For the enforcement of overdue claims, the Data Controller may transfer data to the following:
- Data processors engaged for debt enforcement purposes;
- Official legal proceedings (notary, court, enforcement officer).
Under applicable Data Protection Laws, data transfers to EU Member States are treated as domestic transfers within Hungary.
Transfers outside the European Union:
With the exception noted below, personal data is not transferred outside the European Union.
‘The Rocket Science Group LLC’, operator of the Mailchimp newsletter platform, is one of my data processors and is based outside the EU. The company is registered under the EU-US Privacy Shield agreement, which guarantees a high level of data protection. ‘Active Campaign’ also provides emailing and newsletter services and undertakes compliance with GDPR requirements; more information is available at: https://www.activecampaign.com/gdpr-updates/
VII. Data Processors
The Data Controller is entitled to engage data processors and to transfer data to them. Please note that under Data Protection Laws, engaging a data processor does not require prior consent from data subjects but does require informing them. A data processor may not make substantive decisions regarding data processing and may only process personal data as instructed by the Data Controller. The data processor may not process personal data for its own purposes and must store and retain personal data in accordance with the Data Controller’s instructions.
The list of data processors may change; the current list is provided in Annex 1.
VIII. Data Security
Data is stored and processed at the Data Controller’s registered office or place of business; in the case of activities involving data processors, processing may take place at the data processor’s premises.
The Data Controller implements appropriate technical and organisational measures to ensure an adequate level of data security, including ensuring the ongoing confidentiality of personal data.
The Data Controller regularly reviews its data security measures.
Physical protection of data (paper documents stored in secure premises); IT security of the website; IT devices used by the company are protected by antivirus software, firewalls and passwords.
Rules on erasure of data upon request:
The Data Controller also ensures data security standards in its cooperation with data processors; contracts with data processors include guarantees regarding security, including technical and organisational requirements and confidentiality obligations for data processor employees. Additionally, data processors may only engage sub-processors with the prior authorisation of the Data Controller.
Please note that data transmission over the internet cannot be considered fully secure. The Data Controller cannot accept full responsibility for data transmitted through its website.
IX. Your Rights and Legal Remedies
General rules regarding the rights of data subjects (including you):
You may contact the Data Controller at any time with requests of the types listed below. The Data Controller will inform you of its decision or any measures taken within 25 days of receiving the request.
If the Data Controller does not agree with your request, it will inform you of its position and your legal remedies within 25 days of receiving the request.
The Data Controller fulfils the following types of requests free of charge. If your request is manifestly unfounded or excessive (in particular due to its repetitive nature), the Data Controller may charge a reasonable fee taking into account administrative costs.
Right of Access (Right to Information)
You have the right to obtain confirmation from the Data Controller as to whether or not your personal data is being processed; and if so, the right to access the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed;
- the envisaged retention period for the personal data;
- your rights to request rectification, erasure or restriction of processing and to object to processing;
- your right to lodge a complaint with a supervisory authority.
If personal data is transferred to a country outside the EU or to an international organisation, you have the right to be informed of the appropriate safeguards relating to the transfer. Upon request, a copy of your personal data will be provided to you. If your request is submitted electronically, the information will be provided in electronic format unless you request otherwise.
Right to Rectification
You have the right to request the rectification or completion of inaccurate personal data concerning you.
Right to Withdraw Consent
Where processing is based on your consent, you may withdraw it at any time. Please note that if there is another legal basis for processing in addition to consent, withdrawal of consent will not result in the cessation of processing. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to Erasure
You may request the erasure of personal data concerning you in the following cases:
- The personal data are no longer necessary in relation to the purposes for which they were collected;
- You withdraw your consent and there is no other legal basis for the processing;
- You object to processing based on legitimate interests and there are no overriding legitimate grounds;
- You object to processing for direct marketing purposes;
- The personal data have been unlawfully processed;
- The personal data must be erased to comply with a legal obligation under Data Protection Laws;
- The personal data have been collected in relation to the offer of information society services to children under the age of 16.
The Data Controller is not required to comply with an erasure request where processing is necessary for:
- exercising the right to freedom of expression and information;
- compliance with a legal obligation which requires processing;
- reasons of public interest in the area of public health as defined in the GDPR;
- archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or
- the establishment, exercise or defence of legal claims.
Right to Be Forgotten
If the Data Controller is required to erase your personal data upon your request as described above, it will take reasonably practicable steps to inform other Data Controllers processing your data that you have requested the erasure of any links to, or copies of, that personal data.
Right to Restriction of Processing
You may request that the Data Controller restrict processing in the following cases:
- You contest the accuracy of the personal data — in which case the restriction applies for the period during which the Data Controller verifies accuracy;
- Processing is unlawful, but you oppose erasure and request restriction instead;
- The Data Controller no longer needs the data, but you require it for the establishment, exercise or defence of legal claims; or
- You have objected to legitimate interest-based processing — in which case the restriction applies pending verification of whether the Data Controller’s legitimate grounds override yours.
Where processing is restricted, personal data may, with the exception of storage, only be processed with your consent, for the establishment, exercise or defence of legal claims, for the protection of rights of another person, or for reasons of important public interest of the Union or a Member State.
Right to Data Portability
You may request that personal data you have provided to the Data Controller be:
- received in a structured, commonly used, machine-readable format; and
- transmitted to another Data Controller;
if: (a) the processing is based on your consent or on a contract to which you are a party, or prior to entering such a contract at your request; and (b) the processing is carried out by automated means.
Right to Object
You have the right to object to processing of your personal data where processing is based on legitimate interests, including profiling. In such a case, the Data Controller may only continue processing if it demonstrates compelling legitimate grounds which override your interests or rights, or for the establishment, exercise or defence of legal claims.
Where personal data is processed for direct marketing purposes, you have the right to object at any time, after which personal data may no longer be processed for such purposes.
Rights Related to Automated Decision-Making
Please note that the Data Controller does not employ automated decision-making.
Your Legal Remedies
If your request regarding the rights described above is rejected and you disagree with the decision, or if the applicable deadline was not met, you, as a data subject, may seek judicial remedy.
Data protection cases fall within the jurisdiction of the regional courts (törvényszék). You may also bring proceedings before the regional court of your place of residence or habitual residence.
You may also initiate proceedings before the data protection supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: 1530 Budapest, Pf.: 5.
Email: ugyfelszolgalat@naih.hu
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Foreign citizens may also lodge a complaint with the supervisory authority of their country of residence.
We recommend that you first submit an objection or complaint to the Data Controller before initiating supervisory or court proceedings.
Amendment of the Privacy Policy
The Data Controller reserves the right to amend this Privacy Policy and will notify data subjects in an appropriate manner.
Annexes
Annex 1: List of Data Processors and Other Recipients
Annex 2: Cookie Policy
Annex 3: List of the Most Important Laws Governing Data Processing
Annex 1: List of Data Processors and Other Recipients
Rozgonyi Roland E.V.
Accountant
Address: 1139 Budapest, Hajdú köz 5.
Phone: +36 30 260 3648
Email: rozgonyiconsulting@gmail.com
Data transferred: billing-related data
Pongó Zsuzsanna — Precima Számviteli Szolgáltató Kft.
Certified accountant
Address: 1147 Budapest, Telepes utca 19. 1/10.
Phone: +36 30 457 7829
Email: info@precima.hu
Data transferred: billing-related data
Domaintank Informatikai Kft.
Domain registrar and database hosting
Address: 2120 Dunakeszi, Kadosa Pál u. 3.
Phone: 06-70/397-9408
Email: ugyfelszolgalat@domaintank.hu
Data accessed: name, address, phone, email
Magyar Hosting / Websupport Magyarország Kft.
Domain registrar and database hosting
Registered address: 1119 Budapest, Fehérvári út 97-99.
Tax number: 25138205-2-43
Phone: +36 1 700 2323
Email: info@mhosting.hu
Data accessed: name, address, phone, email
The Rocket Science Group LLC (Mailchimp)
Newsletter platform operator
Contact: https://mailchimp.com/contact/
Data accessed: correspondence with the Data Controller
Mailchimp is registered under the EU-US Privacy Shield agreement.
Active Campaign
Email and newsletter service provider
Contact: https://www.activecampaign.com/contact?support
Data accessed: correspondence with the Data Controller
Active Campaign undertakes GDPR compliance: https://www.activecampaign.com/gdpr-updates/
TIXA Hungary Kft.
Ticket sales processor for the Data Controller’s events
Address: 5600 Békéscsaba, Dobozi út 58.
Phone: 06-30/279-4869
Email: ugyfelszolgalat@tixa.hu
Data processed: name, address, billing address, phone, email
Privacy policy: https://tixa.hu/adatvedelem
MailerLite Limited
Newsletter and email marketing service provider
Address: Ground Floor, 71 Lower Baggot Street, Dublin, D02 P593, Ireland
Website: https://www.mailerlite.com
Email: support@mailerlite.com
Data transferred: name, email address, IP address, newsletter open and click data
Purpose: sending newsletters and marketing messages
Legal basis: data subject’s consent
Complies with GDPR requirements.
Stripe Payments Europe Limited
Online payment service provider
Address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
Website: https://stripe.com
Data transferred: transaction data (amount, ID, date), name, email, billing address, IP address
Purpose: processing online payments
Legal basis: performance of contract and legal obligation
Card data is processed exclusively by Stripe. Complies with GDPR and PCI-DSS security standards.
OTP Mobil Kft. (SimplePay)
Electronic payment service provider
Address: 1143 Budapest, Hungária krt. 17-19.
Website: https://simplepay.hu
Email: ugyfelszolgalat@otpmobil.com
Data transferred: name, email address, billing data, transaction ID, payment amount and date
Purpose: processing online payments via the SimplePay system
Legal basis: performance of contract and legal obligation
The Data Controller does not have access to card data.
Privacy policy: https://simplepay.hu/adatkezelesi-tajekoztato/
Annex 3: List of the Most Important Laws Governing Data Processing (non-exhaustive)
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.)
- Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Commercial Advertising Activities (Grt.)
- Act CXIX of 1995 on the Management of Name and Address Data for Research and Direct Marketing Purposes (Katv.)
- Act C of 2000 on Accounting
- Act CVIII of 2001 on Electronic Commerce and Information Society Services
- Act C of 2003 on Electronic Communications
- Act XX of 1996 on Identification Methods Replacing Personal Identification Numbers
- Act LXVI of 1992 on the Registration of Personal Data and Residential Address of Citizens
- Act CXXXIII of 2005 on Security and Investigative Activities (Szvtv.)
- Act CLV of 1997 on Consumer Protection
- Government Decree 45/2014 (II. 26.) on the Detailed Rules of Contracts between Consumers and Businesses
- Act XLI of 1991 on Notaries (Section 112 on enforcement certificate content)