1. Controller’s details

Name of the Controller:Böröczky Zoltán
Registered office:1173 Bp. Uszoda utca 14
Tax number:90555781-1-1-42
Company registration number: Sole proprietor
Phone: +36 70 361 2161

2. Privacy statement

This Privacy Notice and Statement (hereinafter: Notice) describes the personal data processing practices of COMPANY NAME (hereinafter: Controller) and provides the most important information related to data protection.

When using our services, you may provide us with personal data. We always process such data in compliance with applicable laws, with due care and appropriate security measures, in order to fully meet your data protection expectations.

We place special emphasis on preventing unauthorized access to data; confidentiality and data security are core values of our data processing operations.

Applicable legislation (in particular):

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR, hereinafter: Regulation).

Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

The Fundamental Law of Hungary.

Act V of 2013 on the Civil Code.

Act C of 2003 on Electronic Communications.

Act CVIII of 2001 on Electronic Commerce Services and Information Society Services.

Act CL of 2017 on the Rules of Taxation.

Act C of 2000 on Accounting.

Act CLV of 1997 on Consumer Protection.

Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

Purpose of the Notice:
to transparently present the rights and obligations of data subjects, the scope of data we collect and process, the principles, methods, purposes, legal bases, and duration of data processing, so that all data subjects receive a clear picture of how we process and protect personal data.

3. Definitions

Data breach: an event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Data erasure: the permanent removal or anonymization of personal data so that it can no longer be linked to the data subject.

Controller: the natural or legal person/organization that determines the purposes and means of data processing and makes decisions regarding processing operations.

Data subject: a natural person whose personal data is processed and who can be identified directly or indirectly.

Processor: a natural or legal person/organization that processes data on behalf of the Controller.

Special category data: data requiring increased protection (e.g., health data, racial or ethnic origin, religious or political beliefs, genetic or biometric data, data concerning sex life).

Data transfer: making personal data accessible or transferring it to a third party; transfers within the EEA are considered domestic.

Personal data: any information relating to an identified or identifiable natural person (e.g., name, email, phone number, IP address).

Data processing: any operation performed on personal data (collection, storage, use, transfer, deletion, etc.).

GDPR: EU Regulation 2016/679.

Third country: any country outside the EEA.

EEA Member State: EU Member States and other countries participating in the EEA.

NAIH: the Hungarian National Authority for Data Protection and Freedom of Information.

4. Basic principles of data processing

Lawfulness, fairness, transparency

Purpose limitation

Data minimization

Accuracy

Storage limitation

Integrity and confidentiality

Accountability

5. Data processed

Service orders and appointment booking (via form)
Data subjects: natural/legal persons placing orders and booking appointments
Purpose: contact and order fulfillment

Type of dataLegal basisRetention periodnameGDPR Art. 6(1)(a) consentuntil consent is withdrawnphone numberconsentuntil consent is withdrawnemailconsentuntil consent is withdrawnaddressconsentuntil consent is withdrawnappointment timeconsentuntil consent is withdrawn

Processing method:
If the order/booking is made via an online form, personal data is used solely for fulfillment and communication. Providing data is voluntary but necessary for contact and fulfillment. Consent may be withdrawn at any time without justification; withdrawal does not affect prior lawful processing.

6. Data security

We apply regulated procedures and appropriate technical and organizational measures to protect personal data.
Data is protected against unauthorized access, alteration, disclosure, deletion, destruction, and loss.

Access is granted only to staff who need it.

Security measures include:

continuous risk assessment and mitigation,

monitoring threats and vulnerabilities (malware, intrusion, DDoS),

physical protection of devices and paper records,

continuous system monitoring,

selecting reliable service providers with adequate data security compliance.

7. Data transfer and disclosure

Personal data necessary for service provision is transferred only to contractual partners/processors listed in this section.
Data is shared with third parties only when necessary or required by law/authority.
We conclude written agreements with all processors defining responsibilities and security requirements.

Cooperating partners (example):

Gibsz Jakab E. V. (marketing)
Adószám: 91111111111
Székhely: 1030 Budapest, Petőfi utca 1.

HighLevel Inc. (hosting provider)
400 North Saint Paul Street, Suite 920, Dallas, TX 75201

The software’s privacy notice:
https://storage.googleapis.com/msgsndr/knES3eSWYIsc5YSZ3YLl/media/6435747d41ff79e6e2117755.pdf

8. Rights of data subjects

8.1 Prior information

The data subject has the right to receive clear, understandable, written information about the purpose, method, and legal basis of data processing before it begins. The Controller provides separate information in advance about any further processing for different purposes.

8.2 Access

The data subject may request confirmation as to whether their personal data is being processed and has the right to access their data and the following information:
a) purposes;
b) categories of data;
c) recipients/categories (including third countries or international organizations);
d) retention period or criteria;
e) data subject rights (rectification, erasure, restriction, objection);
f) right to lodge a complaint;
g) data source (if not from the data subject);
h) existence, logic, and expected effects of automated decision-making/profiling.

The Controller provides a copy of the personal data. Additional copies may be subject to an administrative fee. For electronic requests, information is provided in a commonly used electronic format unless otherwise requested. Access must not adversely affect the rights and freedoms of others.

8.3 Rectification

The data subject may request correction of inaccurate data without undue delay and completion of incomplete data.

8.4 Erasure (“right to be forgotten”)

The data subject may request deletion without undue delay if, among others:
a) data is no longer necessary;
b) consent is withdrawn and no other legal basis exists;
c) objection is raised without overriding grounds;
d) processing is unlawful;
e) legal obligation requires deletion;
f) data was collected in relation to information society services.

If data is public, the Controller takes reasonable steps to inform other controllers to delete links or copies.

Erasure does not apply where processing is necessary for: freedom of expression/information, legal obligations, public interest, public health, archiving/research/statistics (where deletion would impair objectives), or legal claims.

8.5 Restriction

Restriction may be requested if:
a) accuracy is contested;
b) processing is unlawful but erasure is opposed;
c) data is needed for legal claims;
d) objection is pending evaluation.
During restriction, data may only be stored or otherwise processed with consent, for legal claims, protection of rights, or important public interest. The data subject is informed before lifting restriction.

8.6 Notification obligation

The Controller informs all recipients of rectification, erasure, or restriction unless impossible or disproportionate. The data subject may request the list of recipients.

8.7 Data portability

The data subject may receive provided data in a structured, commonly used, machine-readable format and transmit it to another controller if:
a) legal basis is consent or contract; and
b) processing is automated.
Direct transfer between controllers may be requested where feasible. This right must not infringe others’ rights.

8.8 Objection

The data subject may object to processing based on public interest, official authority, or legitimate interest, including profiling. Processing must cease unless compelling legitimate grounds override or legal claims require it.
For direct marketing, objection can be made anytime and processing must stop.

8.9 Automated decision-making and profiling

The data subject has the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Exceptions:
a) necessary for a contract;
b) authorized by law with safeguards;
c) explicit consent.
Safeguards include the right to human intervention, to express views, and to contest decisions.

8.10 Data breach notification

If a breach is likely to result in high risk to rights and freedoms, the data subject is informed without undue delay.

8.11 Complaints

The data subject may lodge a complaint with a supervisory authority (especially in their habitual residence, workplace, or place of infringement). The authority informs about progress, results, and judicial remedies.

Hungarian supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH)
Mailing address: 1363 Budapest, P.O. Box 9.
Address: 1055 Budapest, Falk Miksa utca 9–11.
Website: www.naih.hu
Telephon: +36 1 391 1400
E-mail: [email protected]

8.12 Judicial remedy

Natural and legal persons are entitled to seek judicial remedy against a legally binding decision of the supervisory authority, as well as if the authority fails to inform them of the outcome of their complaint within three months.
Proceedings must be initiated before the courts of the Member State where the supervisory authority is established.

Exercising data subject rights

Requests may be submitted in writing or, upon prior arrangement, in person via the contact details below.
We respond to all requests within a reasonable time, but no later than 15 working days.

Contact details for exercising rights:
Postai levél: ...ügyfeled cég címe....................................................
E-mail: ......ügyfeled email címe.................................................
In person: by prior telephone appointment.

Note: we do not provide information related to personal data over the phone, as the caller’s identity cannot be reliably verified.