GDPR (EN)

PRIVACY POLICY ENGLISH

HUNGARIAN LESSON WITH ZSUZSI LTD.

APPLICABLE: FROM 1^st January 2021 UNTIL CANCELLATION

1. Data controller’s data:

Company name:                              Hungarian Lesson with Zsuzsi Kft.

Office:                                                1048 Budapest, Pácoló utca 13. 4. em. 7.

Tax no:                                               24331917-1-41

Company registration number:   01-09-172558

Representative:                               Zsuzsanna Ágnes Ürögdi manager

Telephone:                                       +3670/774 4771

E-mail:                                               info@hungarianlesson.eu  

• Purpose of the Privacy Notice:

The controller acknowledges that the content of this legal notice is binding on him. The purpose of this Privacy Notice is to inform your customers, partners and students regarding the handling of their personal data. The data controller shall process personal data only in accordance with the provisions of the applicable legislation, in strict compliance with the provisions of data management and data protection provisions, taking into account the principles of legality, fairness and transparency, purpose, data saving, accuracy and limited storage.

The controller shall take all technical and organizational measures to ensure that the personal data of her partners are secure in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council as stipulated by this Regulation.

In accordance with the above, the data controller has transformed her day-to-day activities, developed her regulations, records, sample documents and prospectuses.

The data protection policies arising in connection with the data controller’s data management are available at all times at the data controller’s registered office and on her website. The data controller reserves the right to change this information at any time. Of course, she will notify her audience of any changes in a timely manner.

The data controller is committed to the protection of the personal data of her customers and partners, and considers it extremely important to respect the right of her students to information self-determination. The data controller shall treat the personal data confidentially and shall take all security, technical and organizational measures that guarantee the security of the data. The data controller describes her data management practices below.

• Personal, material and temporal scope of the Data Management Information:

The personal scope of this Data Protection Prospectus extends to the data controller as well as to the natural persons whose data are contained in the data processing covered by this Prospectus, as well as to the persons whose rights or legitimate interests are affected by the data processing.

The material scope of the Prospectus covers all data management arising in the course of the activities of the data controller, except for the so-called internal (e.g., employee-related) data management, which is regulated in the Data Management Policy of the data controller.

This Prospectus shall enter into force on the date of approval and shall remain in force indefinitely until further notice.

• Important concept definitions:

Personal data: any information relating to an identified or identifiable natural person. A natural person can be identified who can be identified, directly or indirectly, by one or more of the following factors: an identifier, such as name, number, location, online identifier, or a physical, physiological, genetic, mental, economic, cultural, or social identity.

Specific data: all data belonging to special categories of personal data, i.e. personal data referring to racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the unique identification of natural persons, health data and personal data relating to the sexual life or sexual orientation of natural persons.

Data management: any operation or set of operations on personal data or files, whether automated or non-automated, such as collecting, recording, organizing, sorting, storing, transforming or altering, retrieving, viewing, using, transmitting, distributing or otherwise harmonization, interconnection, restriction or destruction.

Data controller: any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Data processor: a natural or legal person, public authority, agency or any other body who processes personal data on behalf of the controller.

Joint controllers: if the purposes and means of data management are jointly defined by two or more controllers, they are considered as joint controllers.

Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who have been authorized to process personal data under the direct control of the controller or processor.

Consent of the data subject: a voluntary, specific and well-informed and clear statement of the data subject’s intention to indicate his or her consent to the processing of personal data concerning him or her by means of a statement or an act unequivocally expressing confirmation.

Privacy incident: A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal information that is transmitted, stored, or otherwise handled.

• Legitimate data management at the data controller:

Personal data will only be processed by the data controller in the following cases:

1. if the data subject has consented to the processing of his or her personal data for one or more specific purposes,
2. the processing is necessary for the performance of a contract to which one of the parties is the concerned party,
3. the processing is necessary for the fulfillment of a legal obligation to the controller,
4. the processing is necessary in order to protect the vital interests of the data subject or of another natural person,
5. the processing is necessary to protect the legitimate interests of the controller or of a third party.

The lawfulness of data processing is examined by the data controller at all stages of her activity; she only handles data and until such time as she can prove its purpose and legal basis. In the event of the cessation of a condition of a legal basis, the data processing may be continued only if the data controller can prove a suitable other legal basis.

As a general rule, in the case of a legal basis created by implied conduct, it must be examined whether the legal bases can be clearly justified. In case of doubt, for reasons of reasonableness and economy, efforts should be made to confirm in writing the data processing created by the implied conduct.

In the case of consent-based data processing, the data subject gives his or her written consent to the processing of his or her personal data. Consent is not formally binding, but subsequent proof requires written or electronic written consent.

Fulfillment of a legal obligation data-based data processing is independent of the data subject’s consent, as data processing is defined by law.

Irrespective of the mandatory nature of the data processing, the data subject must be informed before the data processing starts and that the data processing is unavoidable, and the data subject must be clearly and informed in detail of all relevant facts concerning the data processing before starting the data processing.

According to the GDPR (General Data Protection Regulation), it is also possible to process personal data if the data processing is necessary for the performance of a contract in which the data subject is a party or the data processing or data collection is necessary. The data controller may process personal data for the purpose of concluding, fulfilling or terminating the contract on the legal basis of the performance of the contract.

• Management of personal data at the data controller:

The data controller provides individual and group Hungarian language instruction (in person and online) to her clients and students. In the course of these activities, she comes into contact with the personal data of natural persons. She performs the following data management activities:

1. In the course of her educational activities, the data controller handles the personal data of the data subject applying for education. Contact the data controller by phone, e-mail, social networking site, or the contact form on the website for those interested in education. Once the conditions for education have been clarified, a date will be agreed. The data controller requests the name, address, telephone number and e-mail address of the data subject. The purpose of the processing of personal data is to ensure that the data subject can be contacted and that they can be contacted in order to change any date. If the data subject does not use the data controller’s service on the date agreed with the data controller and has not requested a change of the date, i.e. the contractual relationship has not been established between the parties, the data controller shall delete the data subject’s personal data immediately, but no later than within 3 working days. The legal basis for the processing of personal data is the establishment of the contract (Article 6 (1) (b) of the General Data Protection Regulation). If the data subject uses the educational service, a contractual relationship is established between the parties. The legal basis for data processing is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The data controller issues an invoice for the service fee. The invoice contains the name, address and possibly tax number of the person concerned. The issuance of the invoice is a legal obligation of the data controller. Legal basis for the processing of personal data on the account, fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). With regard to the retention of personal data on the account, the data controller shall comply with the provisions of Act CXLVII of 2012 on the itemized tax on small tax enterprises and the small enterprise tax Act in accordance with the provisions of the law, store them for 5 years.

• You can also apply for courses organized by the data controller via the website by purchasing the course. Buyers can be both individuals and legal entities. The customer can choose to shop in the online store after registration or without registration. The situation for registered buyers becomes easier when applying for another course, as they do not have to enter their details again. Both during registration and in case of registration without registration, the personal data of the data subject (name, address, e-mail address, telephone number) will be processed. The legal basis for the processing of personal data provided for this purpose is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The data controller shall issue an invoice to the data subject for the consideration for the service. The invoice contains the name, address and possibly tax number of the person concerned. The issuance of the invoice is a legal obligation of the data controller. The legal basis for the processing of personal data on the account is therefore the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). With regard to the retention of personal data on the account, the data controller shall comply with the provisions of Act CXLVII of 2012 on the itemized tax on small tax enterprises and the small enterprise tax Act in accordance with the provisions of the law, store them for 5 years.

• In accordance with the provisions of Act LXXVII of 2013 on Adult Education, special provisions must also be followed in the case of trainings that qualify as adult education when processing the personal data of the participant, concluding a contract and submitting data to the adult education data provision system. During the application, the data controller requests the personal identification data of the data subject (name, birth name, place and time of birth, mother’s name), home address, e-mail address, and the highest level of education. Where relevant for the training, the controller shall also request information on the professional qualifications and knowledge of the foreign language of the data subject. The purpose of data management is to register for the training, to ensure the possibility to keep in touch with the data subject, to organize the training, to issue an invoice and to fulfill the mandatory data provision in accordance with the provisions of the Adult Education Act. The legal basis for the processing of personal data is the fulfillment of contractual obligations (Article 6 (1) (b) of the General Data Protection Regulation) and the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). If the data controller carries out adult training activities, the documents related to the training, including the invoice, shall be kept for 8 years in accordance with the provisions of the Adult Training Act.

• During education for children, the data controller handles the personal data of the child receiving the education and the legal representative. Anyone interested in education will contact the data controller by phone, e-mail, social networking site, or website. The data controller asks for the child’s and parent’s name, telephone number or e-mail address. The purpose of the processing of personal data is to maintain contact with the child and the parent, as well as to provide a means of contact. If the child (and the legal representative) does not use the service, i.e. the contractual relationship has not been established between the parties, the data controller will delete the personal data of the data subject (s) immediately, but no later than within 3 working days. The legal basis for the processing of personal data is the establishment of the contract (Article 6 (1) (b) of the General Data Protection Regulation), the processing of the child’s data takes place with the consent of the legal representative. If the data subject uses the educational service, a contractual relationship is established between the parties. The legal basis for data processing is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The data controller shall issue an invoice for the service fee in the name and address of the legal representative. The issuance of the invoice is the legal obligation of the data controller. Legal basis for the processing of personal data on the account, fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). With regard to the retention of personal data on the account, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the itemized tax of small tax enterprises and the small business tax, and shall store them for 5 years. The personal data (name) of the child will not be stored by the data controller after the completion of the education, the personal data will be deleted immediately, but no later than within 3 working days.

• In the performance of her duties, the controller manages the e-mail addresses and telephone numbers of her partners, customers and students, fulfills her contractual obligations (Article 6 (1) (b) of the General Data Protection Regulation) or with their individual consent (Article 6 (1) of the General Data Protection Regulation).

• In the course of her work, the data controller may also be in contact with subcontractors, suppliers and service providers, which also provides a basis for the processing of personal data. In this case, the legal basis for the processing of personal data (in the case of a natural person or a sole proprietor) is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The legal basis for the processing of personal data in relation to the personal data of the contact person of the legal person is the explicit, prior informed consent of the data subject concerned (Article 6 (1) (a) of the General Data Protection Regulation).

• Natural persons applying for a data controller may submit a CV to the company. Personal data is also processed in connection with the personal data included in the CV. The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation).

• The data controller presents her activities on her website (www.hungarianlesson.eu). The website uses cookies, which also collect personal information about visitors. The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation).

1. On the website, the visitor of the site has the opportunity to contact the data controller using a contact form. The name and e-mail address of the interested party must be entered on the form. The purpose of the processing of personal data is to contact the visitor of the site and the person interested in the services of the data controller. If the service is not ordered after the contact, the personal data of the interested party will be deleted immediately, but no later than within 3 working days. The controller processes the personal data for the purpose of concluding the contract on this legal basis (Article 6 (1) (b) of the General Data Protection Regulation). By filling in the form, the data subject declares that (s)he has read the Data Controller’s Data Management Information and has taken note of its contents.

• The opinions of some previous clients and students regarding the services provided by the data controller are displayed on the website. Reviews are listed with name and image. The name, image (possibly other personal data) and opinion of the reviewers will only be displayed on the website if they have given their written consent to this in writing (Article 6 (1) (a) of the General Data Protection Regulation).

• The data controller also presents her partners on her website. Stakeholders are indicated by name and image. The personal data of the data subjects will only be displayed on the website if they have given their prior written consent based on appropriate information. The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation).

• On the website, the visitor of the site has the opportunity to evaluate and comment on the courses sold by the data controller. In the case of evaluation and commenting, the data controller requests the name and e-mail address of the data subject. By recording the post and personal data, you give your consent to the handling of your personal data and its publication on the website. The legal basis for the processing of personal data is the informed consent of the data subjects (Article 6 (1) (a) of the General Data Protection Regulation). The persons concerned declare that they have read the Data Controller’s Data Protection Information and have taken note of its contents. Personal data will not be used by the data controller for any other purpose and will not be made available to third parties. The controller shall process the personal data recorded in this way until the consent of the data subjects has been withdrawn. If the data subjects withdraw their consent, the controller shall delete the recorded personal data from her system without delay, but no later than within 3 working days.

• On the website, the visitor of the site has the opportunity to complete a test before applying for the trainings. To access the test, the name and e-mail address of the person interested must be provided, after which the data controller will send the test to the person concerned at the e-mail address provided. The purpose of the processing of personal data is to classify the data subject at the appropriate level and to provide the appropriate level of service. If the service is not ordered after completing the test, the personal data of the interested party will be deleted immediately, but no later than within 3 working days. The controller processes the personal data for the purpose of concluding the contract on this legal basis (Article 6 (1) (b) of the General Data Protection Regulation). By providing their personal data and completing the proficiency test, the data subjects declare that they have read the Data Controller’s Data Management Information and have taken note of its contents.

• At the data manager, it is also possible to subscribe to a newsletter by entering an e-mail address. By subscribing to the newsletter, data subjects declare that they have read the contents of the Data Controller’s Data Management Information, as well as whether they consent to the processing of their personal data for marketing purposes. The data subject has the rights written in the Data Management Information and has the opportunity to exercise these rights in the manner and places written there. Accordingly, the legal basis for the processing of personal data in the course of sending a newsletter is the explicit and written, informed consent of the subscriber (Article 6 (1) (a) of the General Data Protection Regulation).

• The data controller also operates social networking sites for the purpose of presenting her activities and services and for marketing purposes. Here, too, the followers of the pages are managed. The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation).

• The data controller occasionally takes photos or videos of her clients and participants in her trainings. If a recognizable individual is visible in the recording, the recording and use of the recording – in connection with the data controller’s website, social networking sites or other appearances – is only with the prior written, voluntary consent of the data subject (legal representative in case of a person under 18) . The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation).

In the course of complaint handling related to the activities of the data controller, the purpose of data management is to enable the communication of the complaint, to identify the data subjects and their complaint, to record data required by law, and to investigate and settle complaints.

In the event of a complaint, the administration and thus the processing of personal data is mandatory under Act CLV of 1997 on Consumer Protection. Pursuant to this, the legal basis for the processing of personal data, the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation).

The data controller shall keep a data management record of the data processing described above. The register also contains the deadlines set for the deletion of personal data. The register is an appendix to this Data Management Information.

• Data processors and joint data controllers related to the data controller:

If the processing is carried out by someone else on behalf of the controller, the controller may only use processors who provide adequate guarantees of compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organizational measures to protect the rights of data subjects.

The controller hereby declares that in the course of her work she will only contact data processors who have an adequate guarantee of compliance with the GDPR regulation and the implementation of appropriate technical and organizational measures to ensure the protection of the rights of data subjects. Relevant declarations from data processors are available.

By reading and acknowledging this Privacy Notice, data subjects agree that the data controller will transfer their personal data to the data processors and joint data controllers listed below.

• The data processor is the accounting firm employed by the data controller:
  • Beáta Lőrincz-Kis (self-employed)
  • 1162 Budapest, Attila u.60
  • kisbeata.konyveles@gmail.com

• Partner of the data controller in connection with the issuance of invoices:
  • KBOSS.hu Kft.
  • 1031 Budapest, Záhony u. 7.
  • info@szamlazz.hu

• In order to pay by credit card, the data processor of the data controller is the following, who is also an independent data controller:
  • Stripe Co.
  • 85 Berry St #550, San Francisco, CA 94107, USA
  • info@stripe.com

The legal basis for the processing of personal data is the performance of the contract and then the fulfillment of the retention obligation prescribed by law.

• The company that hosts the data controller’s website is also considered a data processor:

• The server of the data manager’s mail system is also a data processor:

• Additional data processor in connection with the sending of the newsletter:
  • The Rocket Science Group LLC d/b/a Mailchimp
  • Attn. Privacy Officer
  • 675 Ponce de Leon Ave NE, Suite 5000
  • Atlanta, GA 30308 USA
  • privacy@mailchimp.com

• Subcontractors (teachers) cooperating with the data controller are also considered data processors:
  • Ürögdi Zsuzsanna Ágnes private entrepreneur
  • 1132 Budapest, Csanády u. 25. B. ép. 3. em. 15. a.
  • zsuzsi@hungarianlesson.eu

• Gabriella Szűcs
  • 8 Woodside, Ashwell, Oakham, Rutland, Egyesült Királyság
  • sgabsic@gmail.com

• Zsófia Nagy (self-employed)
  • 5200 Törökszentmiklós, Táncsics Mihály u. 41.
  • z.nagyzsofia@gmail.com

•  Zsuzsanna Gabriella Andréka (EFO)
  • 2013 Pomáz, Ady Endre u. 7.
  • andreka.zsuzsi@gmail.com

• Orsolya Végh Orsolya (self-employed)
  • 1015 Budapest, Toldy Ferenc u. 60. 2em./17.
  • veghorsi@gmail.com

• Prosperos 77 Bt. (Papp Emese)
  • 2252 Tóalmás, Széchenyi u. 6.
  • mesepapp@gmail.com

• Lingua Academica Nyelviskola Bt. (Siklósi Orsolya)
  • 1113 Budapest, Nagyszőlős u. 31.
  • gomolyfelho@gmail.com

• Csilla Varga
  • Newport, Monmuthsire NP190PL, Egyesült Királyság
  • xcsillavargax@gmail.com

• The IT used by the data controller is also considered a data processor:
  • Yahia Anane (self-employed)
  • 1053 Budapest, Vámház krt. 4. fsz/6.
  • yahiaanane@gmail.com

• Data processor is also the developer of the application (Redmenta) used by the data controller during her educational activities:
  • Redmenta Nonproft Kft.
  • hello@redmenta.com

• When storing data in a cloud-based online database, the service provider qualifies as a data processor:
  • Google Ireland Limited
  • Gordon House, Barrow Street, Dublin 4, Ireland

• Due to the use of social sites and the social plug-in embedded in the website, the data processing and joint data management partner is:
  • Facebook Ireland Ltd.
  • 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland

The owner of the YouTube social video sharing site is:

• Google Ireland Limited
  • Gordon House, Barrow Street, Dublin 4, Ireland

• In compliance with the obligation prescribed by Act LXXVII of 2013 on Adult Education, the data controller shall forward the personal data of the participants in her trainings to the state administration body for adult education for data provision purposes:
  • Pest County Government Office Vocational and Adult Education Department
  • 1089 Budapest, Kálvária tér 7.
  • telephone: +361210 9721

• The data controller forwards the personal data of her customers to the National Tax and Customs Board as well.

The contracted data processing and data managing partners handle the personal data of the partners only on the basis of the instructions given by the data controller (except for the application of a legal regulation), assuming the obligation of confidentiality.

• Data management related to contracts concluded by the data controller:

Customer contracts:

In the course of her educational activities, the data controller handles the personal data of the data subject applying for education. Contact the data controller via telephone, e-mail, social networking sites or the contact form on the website. Once the conditions for education have been clarified, a date will be agreed. The data controller requests the name, address, telephone number and e-mail address of the data subject. The purpose of the processing of personal data is to ensure that the data subject can be contacted and that they can be contacted in order to change any date. If the data subject does not use the data controller’s service on the date agreed with the data controller and has not requested a change of the date, i.e. the contractual relationship has not been established between the parties, the data controller shall delete the data subject’s personal data immediately, but no later than within 3 working days. The legal basis for the processing of personal data is the establishment of the contract (Article 6 (1) (b) of the General Data Protection Regulation). If the data subject uses the educational service, a contractual relationship is established between the parties. The legal basis for data processing is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The data controller issues an invoice for the service fee. The invoice contains the name, address and possibly tax number of the person concerned. The issuance of the invoice is the legal obligation of the data controller. The legal basis for the processing of personal data on the account is the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). With regard to the retention of personal data on the account, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the itemized tax of small tax enterprises and the small business tax, and shall store them for 5 years.

You can also apply for courses organized by the data controller via the website by purchasing the course. Buyers can be both individuals and legal entities. The customer can choose to shop in the online store after registration or without registration. The situation for registered buyers becomes easier when applying for another course, as they do not have to enter their details again. Both during registration and in the case of registration without registration, the personal data of the data subject (name, address, e-mail address, telephone number) will be processed. The legal basis for the processing of personal data provided for this purpose is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The data controller shall issue an invoice to the data subject for the consideration for the service. The invoice contains the name, address and possibly the tax number of the person concerned. The issuance of the invoice is the legal obligation of the data controller. The legal basis for the processing of personal data on the account is therefore the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). With regard to the retention of personal data on the account, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the itemized tax of small tax enterprises and the small business tax, and shall store them for 5 years.

During education for children, the data controller handles the personal data of the child receiving the education and the data of the legal representative. Anyone interested in education will contact the data controller by phone, e-mail, social networking site, or website. The data controller asks for the child’s and parent’s name, telephone number or e-mail address. The purpose of the processing of personal data is to maintain contact with the child and the parent, as well as to provide a means of contact. If the child (and the legal representative) does not use the service, so the contractual relationship has not been established between the parties, the data controller shall and will delete the personal data of the data subject (s) immediately, but no later than within 3 working days. The legal basis for the processing of personal data is the establishment of the contract (Article 6 (1) (b) of the General Data Protection Regulation). The processing of the child’s data takes place with the consent of the legal representative. If the data subject uses the educational service, a contractual relationship is established between the parties. The legal basis for data processing is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The data controller shall issue an invoice for the service fee in the name and address of the legal representative. The issuance of the invoice is the legal obligation of the data controller. The legal basis for the processing of personal data on the account is the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). With regard to the retention of personal data on the account, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the itemized tax of small tax enterprises and the small business tax, and shall store them for 5 years. The personal data (name) of the child will not be stored by the data controller after the completion of the education, the personal data will be deleted immediately, but no later than within 3 working days.

Management of personal data in connection with adult education:

According to the provisions of Act LXXVII of 2013 on Adult Education, special provisions must also be followed in the case of trainings that qualify as adult education during the processing of the participant’s personal data, concluding a contract and providing data to the adult education data provision system. During the application, the data controller requests the personal identification data of the data subject (name, birth name, place and time of birth, mother’s name), home address, e-mail address, and the highest level of education. Where relevant for the training, the controller shall also request information on the professional qualifications and knowledge of the foreign language of the data subject. The purpose of data management is to register for the training, to ensure the possibility of contacting the data subject, to organize the training, to issue an invoice and to fulfill the mandatory data provision in accordance with the provisions of the Adult Education Act. The legal basis for the processing of personal data is the fulfillment of contractual obligations (Article 6 (1) (b) of the General Data Protection Regulation) and the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). If the data controller carries out adult training activities, the documents related to the training, including the invoice, shall be kept for 8 years in accordance with the provisions of the Adult Training Act.

Supplier contracts:

The data controller may also be in contact with supplier, subcontractor and service partners. In order to keep in touch with partners, personal data may also be processed in these cases. In the case of a natural person or sole proprietor, the legal basis for data processing is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation); in the case of a legal person’s contact, the legal basis paragraph (a).

The data controller fills in a consent statement with the contact persons of the companies, informing them of their rights regarding personal data and asking for their consent to be able to process their data. In such cases, the legal basis for the processing of personal data is the data subject’s explicit, informed, informed consent (Article 6 (1) (a) of the General Data Protection Regulation). If the contract concluded with the partner is terminated and the legal obligation to keep data does not apply to the storage of data and documents, the telephone numbers and e-mail addresses shall be deleted. The personal data contained in the contract and the invoice shall be stored by the data controller for 5 years in compliance with the retention obligation set out in Act CXLVII of 2012 on the itemized tax on small tax enterprises and the small business tax.

• Management of invoices issued to customers and the personal data contained therein:

The data controller shall issue an invoice for the services provided by her. The invoice contains the name, address and possibly tax number of the person concerned. The issuance of the invoice is the legal obligation of the data controller. The legal basis for the processing of personal data on the account is therefore the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). Personal data recorded in this way shall be stored by the data controller for 5 years in compliance with the retention obligation set out in Act CXLVII of 2012 on the itemized tax on small tax enterprises and the small business tax. If the data controller carries out adult training activities, the documents related to the training, including the invoice issued for the amount of the participation fee, shall also be kept for 8 years in accordance with the provisions of the Adult Training Act.

1. Children’s data, handling of special categories of personal data:

During the trainings, the personal data of the children obtained by the data controller during the educations are used by the data controller only for the purpose of establishing contact in the education. Upon completion of the course, the data controller will delete the child’s personal data immediately, but no later than within 3 working days, and will no longer store it in her system.

The data subject declares that he / she has reached the age of 16 in connection with the subscription to the newsletter, the evaluation of the courses and the consent to the operation of the cookies used by the website on the data controller’s website. A person under the age of 16 may not subscribe to a newsletter, evaluate courses or consent to the collection of cookies used by the website, given that his legal consent to data processing under Article 8 (1) of the General Data Protection Regulation (GDPR) requires the permission of his legal representative. The data controller is not in a position to verify the age and entitlement of the consenting party, so the data subject guarantees that the data provided is true.

Special data brought to the knowledge of the controller shall not be recorded by the controller. If such data has entered any system without the knowledge of the data controller, it shall be deleted from the system immediately upon detection.

1. Procedure used for the preservation of e-mail addresses and telephone numbers:

During the activity of the data controller, she also gets to know the e-mail address and telephone number of her partners, customers and students. She processes personal data entered in this way, in particular in order to fulfill her contractual obligations (Article 6 (1) (b) of the General Data Protection Regulation). If the contract concluded with the partner is terminated and the legal obligation to keep data does not apply to the storage of data and documents, the telephone numbers and e-mail addresses shall be deleted. In some cases, the controller still has a legitimate interest in the retention of the data, in which case she shall seek the explicit and written consent of the data subject to the retention of his or her personal data (Article 6 (1) (a) of the General Data Protection Regulation).

1. Management of applications and CVs received by the data controller:

Natural persons applying for the data controller may submit a CV to the company. If the CV has been submitted because the data controller is looking for an employee and has advertised the job, the CV may only be used in connection with that job.

If the candidate does not meet the conditions for the vacancy and another candidate has been selected, the CV will be destroyed immediately. The controller may only retain the application with the express, explicit and voluntary consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation), provided that its retention is necessary to achieve the purpose of the processing.

The data controller does not post “anonymous” job advertisements, as this is contrary to the requirement to be informed in advance of the data controller’s identity (job advertisements in which the employer does not indicate his name, so candidates may not be aware of which employer apply). The controller shall in all cases inform the data subjects of their identity if they publish a vacancy notice.

If the applicant has voluntarily sent a CV to the data controller without an advertisement, (s)he declares whether (s)he consents to the personal data processing by the data controller. Submission of the CV does not mean that the data subject also consents to the storage of the application material by the data controller. It is also important that the data controller may use the CV only in respect of vacancies indicated by the job applicant. Resumes are normally kept for 3 months, unless a longer period is specified in the data subject’s consent.

During the assessment of the job application, the data controller only checks and obtains information about the applicant’s profile page on the community page if (s)he has informed the data subjects in advance. In such cases, too, she will only look at public data and will base her selection solely on information that is relevant to the job application or job. Under no circumstances will the job applicant’s profile page be saved or stored and passed on to third parties.

If the data subject is not selected for the job, the controller shall inform him/her and the reason for the refusal.

1. Taking photos and videos at the data controller:

The data controller occasionally takes photos or videos of her clients and participants in her trainings. If a recognizable individual is visible in the recording, the recording and use of the recording – in connection with the data controller’s website, social networking sites or other appearances – may take place only with the prior written, voluntary consent of the data subject (legal representative in case of a person under 18). The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation).

If the data subject withdraws the consent and requests the cessation of the use of the recording or the cancellation of the recording, the controller shall comply with this request without delay.

1. Website of the data controller:

The data controller presents her activities, services and courses on her website (www.hungarianlesson.eu). The website provides visitors with information about the contact details of the data controller.

The data controller’s website uses cookies. The legal basis for the processing of personal data obtained by them is the consent of the visitor (Article 6 (1) (a) of the General Data Protection Regulation).

The following cookies are used during the operation of the www.hungarianlesson.eu website:

• MCPopupClosed
• duration: 1 year
• type: other
• __stripe_mid
• duration: 1 year
• type: other
• __stripe_sid
• duration: 40 minutes
• type: other
• icegram_campaign_shown_1561
• duration: 1 day
• type: other
• mailchimp_landing_site
• duration: 1 month
• type: marketing
• woocommerce_cart_hash
• duration: until end of browsing
• type: mandatory
• woocommerce_items_in_cart
• duration: until end of browsing
• type: mandatory
• woocommerce_recently_viewed
• duration: until end of browsing
• type: mandatory
• wp_woocommerce_session_3e6930ba1455face486ba47889436f52
• duration: 2 days
• type: mandatory
• VISITOR_INFO1_LIVE         
• duration: 6 months
• type: marketing – Youtube
• YSC    
• duration: until end of browsing
• type: marketing – Youtube
• test_cookie
• duration: 15 minutes
• type: other
• IDE
• duration: 1 year 24 days
• type: other
• _abck
• duration: 1 day
• type: mandatory
• bm_sz
• duration: 4 hours
• type: mandatory
• CONSENT
• duration: 16 year 9 months
• type: other
• ak_bmsc
• duration: 2 hours
• type: other
• _mcid
• duration: 1 year
• type: other

Cookies:

Task of cookies, they:

• collect information about visitors and their devices;
• memorize the individual settings of the visitors that can be used;
• facilitate the use of the website;
• provide a quality user experience.

For customized service, a small data packet, called a cookie, is placed on the user’s computer and is read back during a later visit. If the browser returns a previously saved cookie, the cookie provider has the option to link the user’s current visit to the previous ones, but only for their own content.

Mandatory session cookies:

The purpose of these cookies is to allow visitors to fully and seamlessly browse the website, use its features and the services available there. These types of cookies last until the end of the session (browsing), and when you close the browser, these types of cookies are automatically deleted from your computer or other device used for browsing.

The choice of the data subject in relation to the cookie:

Web browser cookies:

In the browser settings, the person concerned can accept or reject the new cookies and delete the existing cookies. You can also set your browser to notify you each time new cookies are placed on your computer or other device. You can find more information about handling cookies in the “help” function of the browser.

If a visitor chooses to turn off some or all cookies, s(he) will not be able to use all features of the website.

Third-party cookies (marketing):

Social plug-in application:

The data manager’s website also uses the embedded content of the social site (Youtube). In these cases, joint data management is implemented with the operator of the social site. The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation), which is given by accepting information on the collection of data about cookies, by consenting to the collection of data.

The data subject declares that (s)he has reached the age of 16 regarding the acceptance of the use of cookies on the data controller’s website. A person under the age of 16 may not declare the acceptance or rejection of cookies used by the website, given that the validity of his statement of consent to data processing under Article 8 (1) of the General Data Protection Regulation (GDPR) requires the permission of his legal representative. The data controller is not in a position to verify the age and entitlement of the consenting party, so the data subject guarantees that the data provided is true.

Purchasing courses and handling personal information during registration:

You can also apply for courses organized by the data controller via the website by purchasing the course. Buyers can be both individuals and legal entities. The customer can choose to buy in the online store after registration or without registration. The situation for registered buyers becomes easier when applying for another course, as they do not have to enter their details again. Both during registration and without registration, the personal data of the data subject (name, address, e-mail address, telephone number) will be processed. The legal basis for the processing of personal data provided for this purpose is the fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation). The data controller shall issue an invoice to the data subject for the consideration for the service. The invoice contains the name, address and possibly the tax number of the person concerned. The issuance of the invoice is the legal obligation of the data controller. The legal basis for the processing of personal data on the account is therefore the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation). With regard to the retention of personal data on the account, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the itemized tax of small tax enterprises and the small business tax, and shall store them for 5 years.

Management of personal data when using the contact form:

On the website, the visitor of the site has the opportunity to contact the data controller using a contact form. The name and e-mail address of the interested party must be entered on the form. The purpose of the processing of personal data is to contact the visitor of the site and the person interested in the services of the data controller. If the service is not ordered after the contact, the personal data of the interested party will be deleted immediately, but no later than within 3 working days. The controller processes personal data for the purpose of concluding the contract on this legal basis (Article 6 (1) (b) of the General Data Protection Regulation). By filling in the form, the data subject declares that (s)he has read the Data Controller’s Data Management Information and has taken note of its contents.

Management of personal data in connection with the “Opinions” listed on the website:

The opinion of some previous clients and students regarding the services provided by the data controller is displayed on the website. Reviews are listed with name and image. The name, image (possibly other personal data) and opinion of the reviewer will only be displayed on the website if (s)he has given his/her written consent to this in writing (Article 6 (1) (a) of the General Data Protection Regulation). The controller shall process the personal data until the data subject’s consent has been withdrawn.

Personal data management during the presentation of partners and instructors:

The data controller also presents her partners on her website. Data subjects are indicated by name and image. The personal data of the data subject will only be displayed on the website if (s)he has given his/her prior written consent based on appropriate information. The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation). The controller shall process the personal data until the data subject’s consent has been withdrawn.

Management of personal data related to the evaluation of courses:

On the website, the visitor of the site has the opportunity to evaluate and comment on the courses sold by the data controller. In the case of evaluation and commenting, the data controller requests the name and e-mail address of the data subject. By recording the post and personal data, you give the visitor your consent to the processing of your personal data and its publication on the website. The legal basis for the processing of personal data is the informed consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation). The data subject declares that (s)he has read the Data Controller’s Data Management Information and has taken note of its contents. Personal data will not be used by the data controller for any other purpose and will not be made available to third parties. The controller shall process the personal data thus recorded until the data subject’s consent has been withdrawn. If the data subject withdraws his/her consent, the data controller shall delete the recorded personal data from his or her system without delay, but no later than within 3 working days.

In connection with the evaluation of online products, the data subject states on the data controller’s website that (s)he has reached the age of 16 . A person under the age of 16 may not write an assessment, given that the validity of his/her legal consent to data processing under Article 8 (1) of the General Data Protection Regulation (GDPR) requires the permission of his/her legal representative. The data controller is not in a position to verify the age and entitlement of the consenting party, therefore, the data subject guarantees that the data provided is true.

Management of personal data when applying for the level test:

On the website, the visitor has the opportunity to complete a test before applying for the trainings. To access the test, the name and e-mail address of the person interested must be provided, after which the data controller will send the test to the person concerned at the given e-mail address. The purpose of the processing of personal data is to classify the data subject at the appropriate level, to provide the appropriate level of service. If the service is not ordered after completing the test, the personal data of the interested party will be deleted immediately, but no later than within 3 working days. The controller processes personal data for the purpose of concluding the contract on this legal basis (Article 6 (1) (b) of the General Data Protection Regulation). By providing personal data and completing the proficiency test, the data subject declares that (s)he has read the Data Management Information Sheet of the data controller and has taken note of its contents.

1. Newsletter subscription:

It is also possible to subscribe to a newsletter at the data controller. By subscribing to the newsletter, the data subject declares that (s)he has read the contents of the Data Controller’s Data Management Information, as well as whether (s)he consents to the processing of his/her personal data for marketing purposes (for sending a newsletter). The data subject has the rights written in the Data Management Information and has the opportunity to exercise these rights in the manner and places written there. Accordingly, the legal basis for the processing of personal data during the sending of the newsletter is the explicit and written consent of the subscriber (Article 6 (1) (a) of the General Data Protection Regulation).

The purpose of the data management related to the sending of the newsletter is to provide the recipient with full general or personalized information about the news and the latest news appearing at the data controller, in accordance with the relevant and applicable legislation. Subscribing to a newsletter and/or sending a letter for DM is based on voluntary consent, the data controller will of course give the data subject the opportunity to withdraw his/her consent and unsubscribe from the newsletter at any time.

In connection with the subscription to the newsletter, the data subject declares on the data controller’s website that (s)he has reached the age of 16. A person under the age of 16 may not subscribe to the newsletter, given that the validity of his statement of consent to data processing under Article 8 (1) of the General Data Protection Regulation (GDPR) requires the permission of his legal representative. The data controller is not in a position to verify the age and entitlement of the consenting party, so the data subject guarantees that the data provided is true.

1. Data controller social networking sites:

The data controller also operates a Facebook page, where personal data is processed. The data controller also promotes her activities and describes her services on her Facebook page. This page is used by the data controller for marketing purposes.

https://www.facebook.com/hungarian.lesson.zsuzsi

The data controller also provides comprehensive personal support via Facebook. If you place a question via Facebook, she will try to answer it as soon as possible. She only uses the data she has learned on the Facebook page to answer the question rather than for further advertising purposes. 

The purpose of using the Facebook page is to advertise on social media and communicate information. Facebook may also use the data for its own purposes, including profiling the subjects and targeting them with ads.

You must be logged in to contact the data controller via Facebook. For this purpose, Facebook may also request, store and process personal data. The data controller has no influence on the type, scope and processing of these data and does not receive personal data from the Facebook operator. You can find more information on the Facebook page.

The personal data of the followers on Facebook are processed by the data controller in accordance with their consent (Article 6 (1) (a) of the General Data Protection Regulation), the consent is given by the person’s liking, following, posting or commenting on her page.

The data controller is also present on the Instagram social site with the profile named below:

https://www.instagram.com/hungarianlesson_with_zsuzsi/

The personal data of the followers is processed on the Instagram page. The processing is carried out on a legal basis for consent (Article 6 (1) (a) of the General Data Protection Regulation).

A further community site of the controller where the legal basis for the processing is also the consent of the data subject is as follows (Article 6 (1) (a) of the General Data Protection Regulation):

https://www.youtube.com/channel/UCRoQDAv2nDyCejTOuS9RbKg

1. Personal data management when using cloud-based applications:

The data controller primarily uses cloud-based services for storing, backing up and sharing documents. A common feature of such services is that they are not provided by the user’s computer, but by a remote server, a server center located anywhere in the world. Online hosting also provides such a service. The big advantage of cloud applications is that they provide geographically independent, highly scalable IT storage and processing capacity.

In these cases, the cloud provider can be considered a data processor who processes personal data on behalf of the data controller. Cloud providers are obliged to keep personal data confidential and may only process data upon the instructions of the data controller.

The data controller selects her cloud service partners with the utmost care. She takes all generally expected measures to enter into a contract with them which also takes into account the data security interests of her customers and students. She makes every effort to make her data management principles transparent and regularly monitors data security.

Cloud-based repositories are password-protected, and only the data controller can access the data stored there.

The data controller’s partners expressly consent to the data transfer required for the use of cloud-based applications by accepting this Data Management Information. The legal basis for data processing is the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation).

1. Complaints handling related to the activities of the data controller:

During the handling of complaints related to the activities of the data controller, the purpose of data management is to enable the communication of the complaint, to identify the data subject and his complaint, to record the data required by law, and to investigate and contact the complaint.

In the event of a complaint, the administration, and thus the processing of personal data, is mandatory under Act CLV of 1997 on Consumer Protection. Accordingly, the legal basis for the processing of personal data is the fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation).

The data controller shall keep the record of the complaint and a copy of the response for 5 years, on the basis of which (s)he shall also processes the personal data during this period.

1. Security of data management:

The controller undertakes to ensure the security of the data, to take the technical and organizational measures and to maintain the rules of procedure to ensure that the data recorded, stored or processed are protected. She prevents data destruction, unauthorized use and unauthorized alteration. She also undertakes to call upon any third party to whom the data is transmitted or transferred to comply with the data security requirement.

The data controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorized persons. The processed data may only be disclosed to the data controller and the data processors used by her; they shall not be passed on to a third party who is not entitled to access the data.

The data controller pays special attention to the security of the personal data of her customers and students. She acts in full compliance with legal provisions and requires all partners to do the same. The protection of personal data also includes physical data protection (storage of documents in a locked room, locked cabinet) as well as IT protection (use of password protection).

The data controller stores the personal data provided by the data subject primarily on the servers of the data processor (s) specified in this Data Management Information with standard protection systems, partly on her own IT devices, and, in the case of paper data carrier, at her registered office, properly locked.

Data subjects acknowledge and agree that the protection of data on the Internet and in the computer system cannot be fully guaranteed when their personal data are provided. In the event of unauthorized access or disclosure, despite the efforts of the data controller, it is necessary to proceed as described in this prospectus.

• Rights of data subjects:

Transparent information:

This Data Management Prospectus also serves the purpose of providing clear, concise, transparent, comprehensible information about the data management activities applied at the data controller.

Access right:

The data subject shall have the right to receive feedback from the controller as to whether the processing of his/her personal data are in progress and, if such processing is in progress, shall have the right to access the personal data and the following information:

• the purpose of data management,
• the categories of personal data concerned,
• the recipients to whom the personal data have been communicated,
• the planned duration of the storage of personal data.

You can request information about the above data from the data controller at the following address, e-mail address:

Hungarian Lesson with Zsuzsi Kft. 1048 Budapest, Pácoló utca 13. 4. em. 7.

E-mail: info@hungarianlesson.eu

The data controller hereby informs you that she will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

Right to rectification:

The data subject has the right to have inaccurate personal data concerning him/her rectified at his/her request.

You can request information about the above data from the data controller at the following address, e-mail address:

Hungarian Lesson with Zsuzsi Kft. 1048 Budapest, Pácoló utca 13. 4. em. 7.

E-mail: info@hungarianlesson.eu

The data controller hereby informs you that she will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

Right of cancellation:

The data subject has the right to have his/her personal data deleted at the request of the controller. Based on this request, the data controller is obliged to delete personal data if one of the following reasons exists:

• personal data are no longer required for the purpose for which they were collected,
• the data subject withdraws his/her previous consent and there is no other legal basis for the processing,
• the data subject objects to the data processing and there is no overriding legitimate reason for the data processing,
• personal data have been processed unlawfully,
• it is necessary to delete the data in order to fulfill a legal obligation under EU or Member State law.

You can request information about the above data from the data controller at the following address, e-mail address:

Hungarian Lesson with Zsuzsi Kft. 1048 Budapest, Pácoló utca 13. 4. em. 7.

E-mail: info@hungarianlesson.eu

The data controller hereby informs you that she will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

Right to restrict data management:

The data subject has the right to request that the data controller restrict the data processing, especially if the data subject:

• disputes the accuracy of the data,
• considers the data processing to be illegal, but for some reason does not request the deletion of the data.

You can request information about the above data from the data controller at the following address, e-mail address:

Hungarian Lesson with Zsuzsi Kft. 1048 Budapest, Pácoló utca 13. 4. em. 7.

E-mail: info@hungarianlesson.eu

The data controller hereby informs you that she will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

Right to data portability:

The data subject has the right to receive his/her personal data in a structured, widely used machine-readable format and to transfer this data to another data controller.

You can request information about the above data from the data controller at the following address, e-mail address:

Hungarian Lesson with Zsuzsi Kft. 1048 Budapest, Pácoló utca 13. 4. em. 7.

E-mail: info@hungarianlesson.eu

The data controller hereby informs you that she will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

Right to protest:

The data subject has the right to object at any time to the processing of his/her personal data for reasons related to his/her situation, as provided for in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

You can request information about the above data from the data controller at the following address, e-mail address:

Hungarian Lesson with Zsuzsi Kft. 1048 Budapest, Pácoló utca 13. 4. em. 7.

E-mail: info@hungarianlesson.eu

The data controller hereby informs you that she will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The right of the data subject in the case of automated decision-making:

The data subject shall have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects or would significantly affect him. Automated decision-making is any procedure or methodology in which technical automation assesses the personal characteristics of the data subject and which has a legal effect on him/her or has a significant effect on him/her. The data controller does not use IT automations suitable for profiling, which have a significant impact on the data subject’s rights.

You can request information about the above data from the data controller at the following address, e-mail address:

Hungarian Lesson with Zsuzsi Kft. 1048 Budapest, Pácoló utca 13. 4. em. 7.

E-mail: info@hungarianlesson.eu

The data controller hereby informs you that she will respond to your request within 30 days. Requests for information sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.

The controller undertakes to inform all recipients to whom she has communicated personal data of any of the above rights, unless this proves impossible. She also undertakes to notify the person concerned (applicant) of the decision to deal with the above requests within 30 days at the latest.

• Privacy (data protection) incident:

A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored or otherwise handled.

In the event of a data protection incident, the level of data security breach must be of a serious risk, so the degree of breach must be such that the personal data:

• are destroyed,
• are lost,
• change,
• are communicated without authorization, or
• have unauthorized access to them.

It is considered an incident if any of the above occurs, but this does not preclude several points from occurring at the same time. Not only intentional, malicious behavior falls into this category, but also injuries caused by negligence. An incident therefore occurs when it is caused by an accidental or illegal act.

For example, the following are considered privacy incidents:

• illegal transfer of personal data on a document, portable device, data carrier or IT system (eg by correspondence),
• unauthorized access to an IT system or application which handles personal data,
• damage to or loss of all or part of a database containing personal data,
• making part or all of the IT system unusable by a virus or other malicious software, etc.

In the absence of appropriate and timely action, a data protection incident may cause physical, pecuniary or non-pecuniary damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse of identity, financial loss, unauthorized resolution of pseudonyms, damage to good reputation, breach of the confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural persons concerned.

In the event of a potential data protection incident (unless the data protection incident is not likely to pose a risk to the rights and freedom of natural persons), the controller shall immediately notify the National Data Protection and Freedom of Information Authority. As soon as the data controller becomes aware of the incident, she shall report it without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident. If the notification cannot be made within 72 hours, the reason for the delay shall be stated and the required information shall be provided in detail, without further undue delay.

To report a data protection incident, the National Data Protection and Freedom of Information Authority operates a system set up for this purpose on its website, through which reports can be made electronically.

The data controller shall keep a record of the data protection incidents, indicating the facts relating to the data protection incident, their effects and the measures taken to remedy them. The controller must keep records of incidents, including their causes, incidents and the range of personal data involved. The effects and consequences of incidents should be included in the register, as well as the measures taken to remedy them and the conclusions of the controller (for example: why do you think the incident is not notifiable or, if late, what was the reason for the delay).

It is not necessary to notify the supervisory authority of an incident that is not likely to pose a risk to the rights and freedoms of natural persons.

If a data protection incident is likely to pose a high risk to the rights and freedom of the controller’s customers, she will immediately inform the relevant partner. The information provided to the data subject shall clearly and intelligibly describe the nature of the data protection incident and provide key information and measures.

The data subject need not be informed as above if any of the following conditions are met:

• the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular measures that make the data incomprehensible to persons not authorized to access personal data;
• the controller has taken further measures following the data protection incident to ensure that the high risk to the data subject’s rights and freedom is no longer likely to materialize;
• the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly available information or a similar measure shall be taken to ensure that they are informed in a similarly effective manner.

• Information on relevant legislation:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 Data Protection Regulation, GDPR);
• Act CXII of 2011 on the right to information self-determination and freedom of information (Info. Act);
• Act V of 2013 on the Civil Code (Civil Code);
• Act LXXVII of 2013 on adult education;
• Act CXLVII of 2012 on the itemized tax on small tax enterprises and the small business tax.

• Right to apply to the courts:

In the event of a breach of his rights, the data subject may take legal action against the data controller. The court is acting out of turn in the case.

• Data protection authority procedure:

Complaints can be lodged with the National Data Protection and Freedom of Information Authority:

Name:                        National Data Protection and Freedom of Information Authority

Office:                        1055 Budapest, Falk Miksa u. 9-11.

Mail address:           1363 Budapest, Pf. 9.

Telephone:               +3613911400

Fax:                             +3613911410

E-mail:                       ugyfelszolgalat@naih.hu

Web:                          http://www.naih.hu

• Other provisions:

The data controller shall provide information on data processing not listed in this prospectus when recording the data. In such cases, the provisions of the applicable law shall prevail.

The data controller hereby informs her clients that the court, the prosecutor, the investigating authority, the infringement authority, the administrative authority, the National Data Protection and Freedom of Information Authority, the Hungarian National Bank or other bodies are authorized to provide information, communicate and transfer data or contact the data controller to make documents available. The controller shall provide personal data to the authorities, provided that the authority has indicated the precise purpose and scope of the data, only to the extent strictly necessary for the purpose of the request.

The Data Protection Authority’s website contains further information on the data protection rights referred to in this Privacy Policy.

Budapest, 1^st January 2021

Zsuzsanna Ágnes Ürögdi

directing manager

ANNEX 1

Serial number	Name of the processing of personal data	Purpose of data management	Legal basis for data management	Deadline for deleting personal data
1	Personal data provided during the application for education (name, address, telephone number, e-mail address)	Registration of the application, contact	Establishment of a contract (Article 6 (1) (b) of the General Data Protection Regulation)	If the data subject does not appear at the training, the data will be deleted immediately, but no later than within 3 working days.
2	Personal data of the child (name of child) provided when applying for education	Registration of the application, contact	Establishment of a contract (Article 6 (1) (b) of the General Data Protection Regulation) with the consent of the legal representative	If the data subject does not appear at the training, the data will be deleted immediately, but no later than within 3 working days.
3	Personal data (name, address, telephone number, e-mail address) recorded after attending the training	Fulfillment of the task undertaken in the contract, contact with the person concerned	Fulfillment of contractual obligations (Article 6 (1) (b) of the General Data Protection Regulation)	Within 30 days after the expiry of the statutory retention obligation (5 years)
4	Personal data of the child recorded after the education (name of the child)	Fulfillment of the task undertaken in the contract, contact	Establishment of a contract (Article 6 (1) (b) of the General Data Protection Regulation) with the consent of the legal representative	Data will be deleted immediately after the end of the training, but no later than within 3 working days
5	Personal information provided during purchase and registration on the Website	In order to fulfill the contract, for contact purposes	Performance of the contract (Article 6 (1) (b) of the General Data Protection Regulation)	Within 30 days after the expiry of the statutory retention obligation (5 years)
6	Personal details of the contact person of the legal entity when purchasing and registering on the website	In order to fulfill a contractual obligation	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	In the event of withdrawal of consent, immediately. Within 10 working days after the termination of the contract, unless legislation provides for a retention obligation in connection with the contract (within 30 days after the expiry of the obligation)
7	Personal information provided when applying for adult education	In order to fulfill the contract, to keep in touch, to provide data	Contractual legal basis (Article 6 (1) (b) of the General Data Protection Regulation) and fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation)	Within 30 days after the expiry of the statutory retention obligation (5 years)
8	Personal data on the invoice issued to the users and customers of the service (in case of a natural person, sole proprietor)	Fulfillment of the obligation prescribed by law, issuance of the invoice	Fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation)	Within 30 days after the expiry of the statutory retention obligation (5 years). In the case of adult education, also within 30 days after the end of the 8th year
9	Data management related to incoming e-mails (senders’ e-mail addresses), telephone numbers	In order to fulfill a contractual obligation or on the basis of consent	Fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation) or consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	Within 10 working days after the completion of the task, or immediately after the withdrawal of the consent, within a maximum of 3 working days
10	Personal data of suppliers, service providers, subcontractors (in case of a natural person or sole proprietor)	In order to fulfill a contractual obligation	Fulfillment of a contractual obligation (Article 6 (1) (b) of the General Data Protection Regulation)	Within 30 days after the expiry of the statutory retention obligation (5 years)
11	Personal data of the contacts of the suppliers, service providers and subcontractors	In order to fulfill a contractual obligation	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	In the event of withdrawal of consent, immediately. Within 10 working days after the termination of the contract, unless legislation provides for a retention obligation in connection with the contract (within 30 days after the expiry of the obligation)
12	Personal data in job applicants’ CVs	In order to fill the advertised position or to use it in the event of a subsequent vacancy. Finding the right quality worker	Consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	In the event of a vacancy, the CV of the unsuccessful applicant will be destroyed immediately by the data controller. The data subject of the data subject submitted voluntarily shall be stored with his/her consent until the deadline specified in the consent.
13	Personal data recorded during the collection of data by cookies managed by the website	Increasing the user experience, developing the website	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	Immediately, but no later than 3 working days after the withdrawal of consent
14	Personal data provided during the use of the contact form on the website (name, e-mail address)	For contact purposes	To establish a contract (Article 6 (1) (b) of the General Data Protection Regulation)	Immediately after the contact, but no later than within 3 working days, unless the contractual relationship is established
15	Personal data (eg name, image) that may be provided during the publication of the opinions on the website	Reference; to promote services	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	Immediately after withdrawal of consent
16	Personal data published on the website during the presentation of the instructors (eg name, image)	To promote the activity	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	Immediately, but no later than 3 working days after the withdrawal of consent
17	Personal data provided during the evaluation of the courses on the website (name, e-mail address)	To promote courses and activities	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	Immediately, but no later than 3 working days after the withdrawal of consent
18	Personal data provided during the completion of the level assessment test that can be requested on the website (name, e-mail address)	For the purpose of grouping at the appropriate level and providing the appropriate level of service	To establish a contract (Article 6 (1) (b) of the General Data Protection Regulation)	Immediately after the completion of the test, but no later than within 3 working days, unless the contractual relationship is established
19	Personal information provided during the newsletter subscription (e-mail address)	To send a newsletter	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	Immediately after withdrawal of consent
20	Personal data obtained by the data controller during the use of social sites	To promote the activity and services	With the consent of the data subject (Article 6 (1) (a) of the General Data Protection Regulation)	Immediately after withdrawal of consent
21	Photographs and videos of clients and course participants	Promote the service and activity, use the recordings in connection with the website, social networking sites and other appearances	Consent of the data subject (or legal representative) (Article 6 (1) (a) of the General Data Protection Regulation)	Immediately, but no later than 3 working days after the withdrawal of consent
22	Personal data obtained during the handling of complaints	To identify and handle the complaint	Fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation)	Within 30 days after the expiry of the statutory retention obligation (5 years)