Privacy Policy
DATA CONTROLLER
Botka Petra (6300 Kalocsa, Tessedik S. u. 1., Hungary, tax number: 32083080-1-41,
Website: www.pilatesbypetrab.com email: pilatesbypetrab@gmail.com
A.) HOSTING SERVICE (Ensuring the operation of the website, storing data generated during the use of the website) Data Processor: Squarespace, Inc, Mailing address: 225 Varick Street New York City, New York, United States)
The data processor's privacy policy can be accessed here: https://www.squarespace.com/privacy The use of the data processor is necessary for making the website available and ensuring its proper operation. The data processor handles data storage. The location of data storage is on the data processor's server.
B.) INVOICING SERVICE (Issuing proper invoices)
Data Processor: Billingo Technologies Closed Joint Stock Company (Registered office: 1133 Budapest, Árbóc utca 6., 3rd floor, website: www.billingo.hu, email: hello@billingo.hu) The data processor's privacy policy can be accessed here: https://www.szamlazz.hu/adatvedelem/
The use of the data processor is necessary for the proper issuance of invoices and their transmission to the National Tax and Customs Administration (NAV). The following data is provided to the data processor: Billing name, address/registered office, tax number, email address (if appearing on the invoice).
Necessary data for invoicing is provided to Billingo Technologies Zrt: Billingo Technologies Closed Joint Stock Company Registered office: 1133 Budapest, Árbóc utca 6. 1st floor Company registration number: 01-10-140802 Tax number: 27926309-2-41 Website: www.billingo.hu Email: hello@billingo.hu
C.) RECEIVING AND SENDING MESSAGES
Data Processor: Meta Platforms Ireland Limited (Instagram, Facebook Messenger) The data controller's privacy policy can be accessed here: https://www.facebook.com/privacy/policy/
Data Processor: Zoom Video Communications Inc. 55 Almaden Blvd, Suite 600 San Jose, CA 95113 The data controller's privacy policy can be accessed here: https://zoom.us/privacy
D) RECEIVING AND SENDING EMAILS
Data Processor: Google Inc., Mountain View, California, USA 2. The Data Processor's privacy policy can be accessed here: https://policies.google.com/privacy The Data Processor is utilized to access email correspondence and associated data.
E.) SENDING NEWSLETTERS Data Processor: The Rocket Science Group LLC d/b/a Mailchimp (Mailing address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA) The Data Processor's privacy policy can be accessed here: https://www.intuit.com/privacy/statement/
The Data Processor has access to the following data: Subscriber's name, Subscriber's email address, and other occasionally provided personal data. Location of personal data storage: personal data is stored through computer networks.
2. PURPOSE OF DATA PROCESSING
Communication related to the contract established between the Data Processor and the user, provision of the service, ensuring the order of the service, issuance of invoices. The legal basis for this data processing is Article 6(1) a), b), and c) of the GDPR. Data processing outside the contract established between the Data Processor and the user is only carried out with the user's prior consent. Providing personal data is a prerequisite for entering into the contract.
3. DURATION OF DATA PROCESSING
Until the request for deletion from the data subject.
4. TYPES OF COLLECTED DATA
Personal data. Data provided by users when subscribing to the newsletter and data associated with profiles registered on external parties' websites.
5. HOW DATA COLLECTION OCCURS
Data provided by users will be collected. Data provided when subscribing to newsletters will be collected. Data provided by Facebook and Instagram will be collected.
6. DEFINITIONS
"personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
"data processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"restriction of processing": marking stored personal data with the aim of limiting its future processing;
"profile formation": any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
"pseudonymization": the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
"record-keeping system": a structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or classified on a functional or geographical basis;
"data controller": a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law;
"data processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
"recipient": a natural or legal person, public authority, agency, or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
"third party": a natural or legal person, public authority, agency, or body other than the data subject, data controller, data processor, and persons who, under the direct authority of the data controller or data processor, are authorized to process personal data;
"consent of the data subject": any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
"data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
"genetic data": any personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or health of that person and results, in particular, from an analysis of a biological sample from the natural person in question;
"biometric data": any personal data relating to the physical, physiological, or behavioral characteristics of a natural person obtained by means of specific technical processes which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data;
"health data": any personal data related to the physical or mental health of a natural person, including the provision of health care services to that person, which reveal information about his or her health status;
"main establishment":
a) for a data controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken those decisions should be considered to be the main establishment;
b) for a data processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the data processor has no central administration in the Union, the establishment of the data processor in the Union where the main processing activities in the context of the activities of an establishment of the data processor take place to the extent that the data processor is subject to specific obligations under this Regulation;
17. "representative": a natural or legal person established in the Union who, designated by the data controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
18. "enterprise": a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
19. "group of undertakings": a controlling undertaking and its controlled undertakings;
20. "binding corporate rules": personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
21. "supervisory authority": an independent public authority which is established by a Member State pursuant to Article 51;
22. "supervisory authority concerned": a supervisory authority which is concerned by the processing of personal data because:
a) the controller or processor is established on the territory of the Member State of that supervisory authority;
b) the data subject has lodged a complaint with that supervisory authority;"
23. "cross-border processing of personal data":
a) processing of personal data which takes place in the Union and which substantially affects or is likely to substantially affect data subjects in more than one Member State who are exercising their rights and freedoms as defined in this Regulation; or
b) processing of personal data which takes place in the Union and which substantially affects or is likely to substantially affect data subjects in more than one Member State who are not exercising their rights and freedoms as defined in this Regulation, but where, in accordance with this Regulation, significant risks are likely to arise for those data subjects in the context of the processing activities of an establishment of a controller or a processor in more than one Member State;
24. "relevant and reasoned objection": an objection made by a natural or legal person, against a draft decision, whether a decision in itself or a decision following a prior consultation, within the meaning of Article 28(6), that is addressed to that person and against which the person may bring proceedings before a court or bring the matter before the supervisory authority with jurisdiction;
25. "information society service": a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1);
26. "international organization": an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
6. COOKIE (SÜTI) MANAGEMENT:
The Data Controller also informs data subjects that the website uses cookies, also known as "sütik." Cookies are files that store information in the data subject's web browser. A cookie serves as a means of information exchange between the web server and the user's browser. The information sent by cookies helps internet browsers to be more easily recognized, allowing users to receive relevant and personalized content. Cookies make browsing more convenient. With the help of cookies, website operators can also create anonymous statistics about the habits of website visitors. Most cookies do not contain personal information and do not identify users. The stored data is necessary for more convenient browsing.
Websites can use the following types of cookies:
Temporary cookies, which remain on the data subject's device until they leave the website.
Persistent cookies, which, depending on the settings of the data subject's web browser, can remain on the device for a longer period or until the data subject deletes them.
Third-party cookies, which are placed by a third party on the data subject's device (e.g., Google Analytics). These cookies are placed in the browser if the visited website uses services provided by third parties.
Cookies can also be classified as follows:
a) Essential session cookies: Their use is essential for navigating the website and for the functionality of the website. Without accepting these cookies, the website or certain parts of it may not appear correctly or may display errors.
b) Analytical or performance monitoring cookies: These help the Data Controller distinguish between website visitors and gather data on how visitors behave on the website. They do not collect information that can identify data subjects, as the data is aggregated and stored anonymously.
7. RIGHT TO LODGE A COMPLAINT:
If data subjects believe that their rights have been violated, they have the right to lodge a complaint with the competent data protection supervisory authority (in Hungary, the National Authority for Data Protection and Freedom of Information; "NAIH"), and they may also exercise their right to seek judicial remedies. Contact details of NAIH (Headquarters: 1055 Budapest, Falk Miksa Street 9-11. Mailing address: 1374 Budapest, Pf. 603., Tel: +36 1 391 1400, Fax: +36-1-391-1410, Email: ugyfelszolgalat@naih.hu, Website: http://naih.hu/)
8. DATA SUBJECT RIGHTS:
A) RIGHT TO INFORMATION: If the Data Controller processes personal data concerning the data subject, the Data Controller is obliged to provide the data subject with information – even without the data subject's request – about the essential characteristics of data processing. This includes the purpose and legal basis of data processing, its duration, the identity and contact details of the Data Controller and its representative, the contact details of the data protection officer, recipients of the personal data, information on legitimate interests pursued by the Data Controller or a third party in the case of processing based on legitimate interests, as well as the data subject's rights and remedies (including the right to lodge a complaint with the supervisory authority). If the data subject is not the source of the data, information about the source and categories of personal data concerning the data subject should also be provided. The Data Controller provides this information by making this notice available to the data subject.
B) RIGHT TO ACCESS: The data subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed and, if so, to have access to the personal data and certain information related to the processing. This includes the purposes of the processing, categories of personal data concerned, recipients of the personal data, the (planned) duration of processing, the data subject's rights and remedies (including the right to lodge a complaint with the supervisory authority), and information about the source of the data, if the data was not collected from the data subject. Upon request, the Data Controller shall provide a copy of the personal data undergoing processing. The Data Controller may charge a reasonable fee based on administrative costs for further copies requested by the data subject. If the request is made electronically, the information shall be provided in a widely used electronic format, unless otherwise requested by the data subject. The right to obtain a copy should not adversely affect the rights and freedoms of others.
C) RIGHT TO RECTIFICATION: The data subject has the right to request the Data Controller to rectify inaccurate personal data concerning them without undue delay. Considering the purpose of the processing, the data subject also has the right to have incomplete personal data – among other things, through providing a supplementary statement – completed.
D) RIGHT TO ERASURE: The data subject has the right to request the Data Controller to erase personal data concerning them without undue delay, and the Data Controller is obliged to erase such personal data without undue delay if certain conditions are met. For instance, the Data Controller is obliged to erase personal data upon the data subject's request when the personal data is no longer needed for the purposes it was collected or otherwise processed; the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing; or the personal data has been unlawfully processed. However, the right to erasure does not apply if data processing is necessary for:
a) exercising the right of freedom of expression and information;
b) compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject;
c) the performance of a task carried out in the public interest or in the exercise of official authority;
d) archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, unless the erasure would render impossible or seriously impair the achievement of the objectives of such processing; or
e) the establishment, exercise, or defense of legal claims.
E) RIGHT TO RESTRICTION OF PROCESSING: The data subject has the right to request the Data Controller to restrict the processing of personal data if one of the following applies:
a) The data subject contests the accuracy of the personal data, in which case processing shall be restricted for a period enabling the Data Controller to verify the accuracy of the personal data;
b) The processing is unlawful, and the data subject opposes the erasure of the personal data and instead requests the restriction of their use;
c) The Data Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
d) The data subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the data subject. If processing is restricted based on the above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State. If the restriction of processing requested by the data subject is lifted, the Data Controller shall inform the data subject in advance.
F) RIGHT TO OBJECT: The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them based on the legitimate interests of the Data Controller. In this case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
TRANSFER OF DATA TO THIRD COUNTRIES: Among the Data Processors, Google Inc (Email services, Messaging), Meta Platforms Ireland Limited. (Community-building, Messaging), Zoom Video Communications Inc. (Video calls), Squarespace Inc (data generated while using the website), The Rocket Science Group LLC d/b/a Mailchimp (newsletter sending out).
Last update: 01. 09. 2023