DATA PROTECTION NOTICE

The purpose of this Data Protection Notice is to present, in a concise, transparent, and understandable manner, the data processing practices carried out by HAIR SZABÓ IMRE Commercial and Service Limited Liability Company (hereinafter: “Company” or “Data Controller”) in accordance with applicable legal regulations. This notice aims to inform guests, partners (agents), interested parties, recipients of marketing communications, website visitors, and other relevant individuals (hereinafter: “You,” “Data Subject,” or “User”) about the data processing activities involved.

In relation to the data processing activities described in this notice, the Company acts as the data controller in accordance with Article 4(7) of Regulation (EU) 2016/679 (hereinafter: “GDPR”).

We inform you that your personal data will be processed in compliance with the GDPR, the Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, and all other relevant regulations and internal policies.

The GDPR stipulates that information must be provided in writing or by other means, including electronically where appropriate. Accordingly, we inform you that this document is also available in printed form at the Company’s headquarters.

1. Data Controller Details:

Data Controller: HAIR SZABÓ IMRE Ltd.

Headquarters: 1056 Budapest, Belgrád rkp. 26. fszt. 2.

Branch Office: 1013 Budapest, Krisztina krt. 45.

Email: robert@szaboimre.hu

Website: www.szaboimre.hu

Phone Number: +36 (70) 311 9482

2. Hosting Service Provider Details

Name: Lion Stack Ltd.

Mailing Address: 6500 Baja, Kölcsey Ferenc u. 102. 4. em. 10.

Email: info@lionstack.hu

Website: https://lionstack.hu/

Definitions used in this Data Protection Notice are based on GDPR provisions. The individual responsible for data protection within the Data Controller is the Managing Director: Szabó Róbert. Please be informed that the Data Controller is not required to appoint a data protection officer.

For any questions or concerns regarding this notice, or any other data protection document of HAIR SZABÓ IMRE Ltd., or data processing in general, please contact us at: robert@szaboimre.hu.

This Data Protection Notice further aims to ensure the protection of personal data of natural persons, the realization of informational self-determination rights, and to define the principles of data processing and the applicable data protection and data security procedural rules concerning the personal data managed by the Data Controller.

3. General Information on the Processing of Your Personal Data

When we use the term “personal data” in this Data Protection Notice, we mean any information related to you. Personal data includes, for example, your name, email address, and postal address. It also encompasses any data that is directly or indirectly linked to you, or that can be used to identify you. Data that is not related to you is referred to as “non-personal data” or “anonymous data.” The data protection rules and this Data Protection Notice do not apply to non-personal data.

The processing of your personal data includes activities such as collecting, storing, or deleting your data.

4. Overview of the Legal Grounds for Processing Your Personal Data

We only process your personal data if there is a legal basis for doing so and if it is lawful under current data protection regulations, meaning that the processing is legally permitted. 

According to the GDPR, the processing of your personal data is usually based on the following legal grounds:

– The processing of your personal data is necessary for the performance of a contract with you, or to take action at your request before entering into such a contract (Article 6(1)(b) of the GDPR – contract performance).

– You have given consent for us to process your personal data for one or more specific purposes (Article 6(1)(a) of the GDPR – consent).

– The processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c) of the GDPR – legal obligation).

– The processing is necessary for the purposes of our or a third party’s legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Article 6(1)(f) of the GDPR – legitimate interests). In cases of data processing based on legitimate interests, we have always conducted the necessary balancing test.

Further details on the specific legal basis for processing, the purposes, scope, and duration of processing are provided in this Data Protection Notice below.

5. Specific Data Processing Notices

5.1. Specific Data Processing Notice for Service Booking and Related Communication

Purpose of Processing: The purpose of processing your personal data is to allow you to contact us through the contact details of hair salons listed under the “Salons” section on the website www.szaboimre.hu. You may reach out with general inquiries and request an appointment for our services.

Data Processed: During this process, we handle your personal data including your name (title/last name/first name) and phone number, as well as the date and time of the appointment requested for our services.

Legal Basis for Processing: The legal basis for this processing activity is your consent to the processing of your personal data in accordance with Article 6(1)(a) of the GDPR. You have the right to withdraw your consent at any time, but this does not affect the legality of processing based on consent before its withdrawal.

Data Retention Period: How Long Do We Keep Your Personal Data?

We will process your personal data until you withdraw your consent, or, in the absence of such consent, until the latest of the following: the completion of the service or, if the service is not provided, until the date we become aware of this.

Who Has Access to the Processed Personal Data? Who Are the Recipients of the Personal Data?

The personal data processed for this purpose can be accessed by the Data Controller’s Managing Director and employees assigned to handle communication-related data. Your personal data will not be transferred to any third party or individual without your consent, except when required by an authority or official body with appropriate legal grounds.

5.1.1 Specific Data Processing Notice for Oxygen Therapy

Purpose of Processing: The purpose of processing your personal data is to provide the service to you and to promote the preservation, improvement, and maintenance of health.

Data Processed: During the registration for oxygen therapy, we handle your personal data, including your name (title/last name/first name) and phone number, as well as the appointment details. During the therapy, we may also process sensitive health-related data related to your hair or skin condition.

Legal Basis for Processing: The legal basis for processing data in relation to oxygen therapy registration is your consent as per Article 6(1)(a) of the GDPR. You have the right to withdraw your consent at any time, though this does not affect the legality of processing based on consent prior to its withdrawal.

For data processing during the oxygen therapy sessions, the legal basis is Article 6(1)(b) of the GDPR, which relates to the necessity of processing for the performance of a contract to which the data subject is a party or for steps taken at the request of the data subject before entering into such a contract. Providing health and identification data is voluntary, though it is required for the service.

Data Retention Period: We will process your personal data until you withdraw your consent, or, in the absence of such consent, until the latest of the following: the utilization of the service or, if the service is not provided, until the date we become aware of this.

Access to Personal Data and Recipients: The personal data processed for this purpose can be accessed by the Data Controller’s Managing Director and employees assigned to handle communication-related data. Your personal data will not be transferred to any third party or individual without your consent, except when required by an authority or official body with appropriate legal grounds.

5.2. Specific Data Processing Notice for Online Appointment Booking on the Website

Purpose of Processing: The purpose of processing your personal data is to maintain communication with you, which is essential for the provision of the booked service. The Data Controller and/or the Data Controller’s data processor (Bwnet Booking System – Beauty World Net Ltd) will send confirmation of the booking and information related to appointment cancellations to the email address you provided. Additionally, we will contact you via the phone number you provided in case of appointment changes.

Data Processed: During this process, we handle your personal data including your name (title/last name/first name), phone number, IP address, and the appointment details for our services.

Legal Basis for Data Processing: The legal basis for this data processing activity is your consent to the processing of your personal data according to Article 6(1)(a) of the GDPR. You have the right to withdraw your consent at any time, but this does not affect the lawfulness of processing based on consent before its withdrawal.

Data Retention Period: We will process your personal data until you withdraw your consent or, in the absence of consent, until the latest of the following: the utilization of the service, or if the service is not utilized, until we become aware of this.

Access to Personal Data and Recipients: The personal data processed for this purpose can be accessed by the Data Controller’s managing director, as well as employees responsible for managing contact data, and the online booking system partner, Bwnet – Beauty World Net Ltd. (1066 Budapest, Teréz krt. 38. I. em. 110/C., Company Registration Number: 01-09-982082). Your personal data will not be shared with third parties without your consent, except in cases where required by authorities or official bodies with appropriate legal grounds.

5.3 Specific Data Processing Information for Invoicing

Purpose of Data Processing: The purpose of processing your personal data is to issue an invoice for the payment of services provided upon your request and to comply with the Data Controller’s obligation to retain accounting documents related to the invoice.

Scope of Data Processed: In the context of invoicing, we process your name (title/last name/first name), billing address, description of the service, the service fee, and the date of invoice issuance.

Legal Basis for Data Processing: The legal basis for this data processing activity in relation to your request for an invoice is your consent according to Article 6(1)(a) of the GDPR. Issuing an invoice (and thus providing personal data) is not mandatory, but you are entitled to request it from the salon. In this case, you can withdraw your consent to the processing of your personal data at any time before the invoice is issued, but this does not affect the lawfulness of processing based on consent before its withdrawal.

If the invoice you requested has been issued by the salon, the legal basis for processing from that point forward is Article 6(1)(c) of the GDPR, which is necessary for compliance with a legal obligation to which the Data Controller is subject. This obligation is defined by Section 169 of Act C of 2000 on Accounting.

Data Retention Period: For invoicing-related requests, personal data will be processed until your consent is withdrawn or, in the absence of such consent, for 8 years following the issuance of the invoice.

Access to Personal Data and Recipients: The personal data processed for invoicing can be accessed by the Data Controller’s managing director, employees responsible for issuing the invoice, and the accounting firm acting as the data processor. Your personal data will not be shared with third parties without your consent, except in cases where required by authorities or official bodies with appropriate legal grounds.

5.4 Specific Data Processing Information for Job Applications

Purpose of Data Processing: The purpose of processing your personal data is to register and evaluate resumes and related documents received for job positions advertised by the Company, to establish contact with candidates, and to include documents containing the personal data of rejected applicants or those who applied without an advertised position in a labor market database upon request.

Scope of Data Processed: In the management of job applications, we process your name (title/last name/first name), birth name, image, residential address (place of residence/temporary residence), postal address (address/PO box/postal service location), phone number, email address, personal data related to educational qualifications/skills, personal data related to professional experience and previous workplaces/internships, personal data related to awards/prizes, personal data related to language skills, personal data related to driving licenses, personal data related to interests, and any other personal data mentioned in references/cover letters/resumes, as well as the date of the application material and the date of application submission, and your signature.

Legal Basis for Data Processing: The legal basis for this data processing activity is your consent to the processing of your personal data according to Article 6(1)(a) of the GDPR. You have the right to withdraw your consent at any time, but this does not affect the lawfulness of processing based on consent before its withdrawal.

Data Retention Period: We will process your personal data until you withdraw your consent, or in the absence of consent, until the notification of the rejection decision for the rejected applicants and until the deletion of the personnel records for the selected candidate. If you provide a separate and explicit declaration allowing your resume and related documents to be included in our labor market database, we will retain them for this purpose for 6 months from the date of consent.

Access to Personal Data and Recipients: The personal data processed for this purpose can be accessed by the Data Controller’s managing director and employees involved in evaluating and administering applications due to their job roles. For electronically submitted applications, the Company’s hosting service provider, as a data processor, may also access the data. Your personal data will not be shared with third parties without your consent, except in cases where required by authorities or official bodies with appropriate legal grounds.

5.5 Specific Data Processing Information for Professional Models or Guests Volunteering for Modeling

Purpose of Data Processing: The purpose of processing your personal data is to create and use images of you as a professional model or as a guest volunteering for modeling to promote the salon on the www.szaboimre.hu website, as well as on social media platforms created by the data controller or on any platform specified in a separate agreement.

Scope of Data Processed: In the context of modeling, our Company processes your image and any conclusions that can be drawn from your image as personal data.

Legal Basis for Data Processing: For professional models, the legal basis for processing is Article 6(1)(b) of the GDPR, which allows processing necessary for the performance of a contract to which you are a party or necessary steps before the contract is concluded at your request. Failure to provide data, in this case, preventing the creation of your image, may result in the Company enforcing legal claims related to the agreement and obligations you have undertaken. For guests volunteering for modeling, the legal basis for data processing is Article 6(1)(a) of the GDPR, based on the data subject’s consent to the processing of personal data. You have the right to withdraw your consent at any time, but this does not affect the lawfulness of processing based on consent before its withdrawal.

Data Retention Period: For guests volunteering for modeling, personal data will be processed until the withdrawal of their consent, while for professional models, data will be processed until the date specified in the agreement (contract) regarding the creation of the recordings.

Who has access to the processed personal data, and who are the recipients of the personal data? 

For this purpose, the personal data can be accessed by the Company’s managing director, employees responsible for the publication of recordings, the photographer responsible for the recordings, and the hosting service provider acting as a data processor. Your personal data will not be transferred to third parties/natural persons without your consent; it will only be transferred in response to an official request from an authority or official body with appropriate legal grounds.

5.6 Information on Data Processing Related to Partner and Agent Communication

Purpose of Data Processing: The purpose of processing personal data is to maintain contact with regular or new agents for the purpose of ordering goods.

Scope of Data Processed: In this data processing activity, the Company, as Data Controller, processes your name (title/last name/first name), phone number, and email address as personal data.

Legal Basis for Data Processing: The legal basis for this data processing activity is your consent to the processing of your personal data according to Article 6(1)(a) of the GDPR. You have the right to withdraw your consent at any time, but this does not affect the lawfulness of processing based on consent before its withdrawal.

Data Retention Period: We will process your personal data until you withdraw your consent or, in the absence of consent, until the point at which maintaining contact with you as an agent is no longer necessary.

Who has access to the processed personal data, and who are the recipients of the personal data? For this purpose, the personal data can be accessed by the Company’s managing director and employees responsible for procuring goods and contacting the agent. Your personal data will not be transferred to third parties/natural persons without your consent; it will only be transferred in response to an official request from an authority or official body with appropriate legal grounds.

5.7 Information on Data Processing Related to Other Employment Relationships

Purpose of Data Processing: The purpose of processing your personal data is to establish an employment relationship with you for work.

Scope of Data Processed: In this data processing activity, the Company processes your name (title/last name/first name), place and date of birth, mother’s name, age, type/number of identification documents, nature of the employment relationship, amount of compensation, due date of payment, description and timing of the work performed, name of the financial institution where your account is held and your account number, tax identification number, social security identification number (TAJ number), and your signature as personal data.

Legal Basis for Data Processing: The legal basis for this data processing activity is Article 6(1)(b) of the GDPR, which allows processing necessary for the performance of a contract to which you are a party or necessary steps before the contract is concluded at your request. If you do not provide the personal data necessary for the performance of the contract, an employment relationship cannot be established between you and the Company.

Data Retention Period: The Company will retain your personal data for 5 (five) years following the completion of the contract.

Who has access to the processed personal data, and who are the recipients of the personal data? For this purpose, the personal data can be accessed by the Company’s managing director, employees assigned to manage the employment relationship, and the accountant acting as a data processor. Your personal data will not be transferred to third parties/natural persons without your consent; it will only be transferred in response to an official request from an authority or official body with appropriate legal grounds.

5.8 Information on Data Processing Related to Payment of Compensation from Employment Relationships

Purpose of Data Processing: The purpose of processing personal data is to pay compensation for work performed to individuals in an employment relationship with the Company.

Scope of Data Processed: In this data processing activity, the Company processes your name (title/last name/first name), place and date of birth, mother’s name, type/number of identification documents, nature of the employment relationship, amount of compensation, due date of payment, description and timing of the work performed, name of the financial institution where your account is held and your account number, tax identification number, social security identification number (TAJ number), and your signature as personal data.

Legal Basis for Data Processing: The legal basis for processing is Article 6(1)(c) of the GDPR, which allows processing necessary for compliance with a legal obligation applicable to the data controller, in this case, the Accounting Act 2000. Act C.

Data Retention Period: The Company will retain personal data for 8 years following the payment of compensation.

Who has access to the processed personal data, and who are the recipients of the personal data? For this purpose, the personal data can be accessed by the Company’s managing director, employees assigned to manage the employment relationship, and the accounting office acting as a data processor. Your personal data will not be transferred to third parties/natural persons without your consent; it will only be transferred in response to an official request from an authority or official body with appropriate legal grounds.

5.9 Information on Data Processing Related to Electronic Security – Camera System – Surveillance System

Purpose of Data Processing: The purpose of processing personal data is to protect the assets of the Company’s operated salons and the individuals present there.

Scope of Data Processed: In this data processing activity, the Company processes your image and any conclusions drawn from your image as personal data.

Legal Basis for Data Processing: The legal basis for processing is Article 6(1)(f) of the GDPR, which allows processing necessary for the legitimate interests pursued by the data controller or a third party. This legitimate interest is the protection of the salons and the assets of individuals present there.

Data Retention Period: The Company will store recordings of individuals for 3 (three) days according to Section 31(2) of Act CXXXIII of 2005 on personal and property protection and private investigation activities.

Who has access to the processed personal data, and who are the recipients of the personal data? For this purpose, the personal data can be accessed by the Company’s managing director and individuals responsible for operating and maintaining the electronic surveillance system. Your personal data will not be transferred to third parties/natural persons without your consent; it will only be transferred in response to an official request from an authority or official body with appropriate legal grounds.

5.10 Information on Data Processing Related to Website Visits

When you visit our website, your browser automatically sends information to our website’s server and temporarily stores it in a log file.

Purpose of data processing: We process your personal data for the following purposes: to ensure smooth communication, to provide a convenient use of our website, and to analyze the security and stability of the system.

Scope of data processed: When visiting the website, we process the following information: your IP address, the date and time of access, the name and URL of the downloaded file, the website from which the access occurred (referring URL), and the browser you used, and, where applicable, the operating system of the device used to access our website, as well as the name of your internet service provider.

Legal basis for data processing: Processing your personal data is necessary to allow you to visit our website and to ensure the performance, long-term operability, and security of our website and systems. Therefore, we process your personal data based on Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring the performance, long-term operability, and security of our website and systems.

Duration of data processing or how long we store your personal data: Generally, we process your personal data only as long as necessary to achieve the mentioned purposes. The storage period for the data processed in each data processing activity can be found in later sections of this privacy notice.

Who has access to the processed personal data, and who are the recipients of the personal data? The personal data processed for this purpose may be accessed by the company’s managing director and the hosting service provider acting as the data processor.

5.11 Direct marketing and newsletter sending related specific data processing notice:

Purpose of data processing: Sending newsletters on selected topics, sending promotional offers and other communications, informing about current information, offers, direct marketing inquiries, conducting online research, and promoting the data controller’s services through online newsletters and/or direct marketing communications.

Scope of data subjects: Website visitors who subscribe to the newsletter service.

Scope of data processed: The name and email address you provide. As a user, you can give your consent to data processing by ticking the empty checkbox specifically designated for this purpose under the “contact” section on the website.

Legal basis for data processing: We process your personal data based on Article 6(1)(a) of the GDPR, which means based on your consent.

Duration of data processing or how long we store your personal data: Data will be processed until the consent of the data subject is withdrawn. You can unsubscribe from the newsletter at any time by using the unsubscribe link at the end of each newsletter. The data subject has the right to withdraw consent at any time, and the withdrawal can be initiated via email, phone, or letter using the contact details provided above. Withdrawal of consent does not affect the legality of the data processing based on consent prior to withdrawal.

Who has access to the processed personal data, and who are the recipients of the personal data? The personal data processed for this purpose may be accessed by the data controller, the data controller’s IT staff, and the website developer, and the data may be forwarded to the company responsible for sending the newsletter.

6. Cookie usage information

On our website, we use technologies designed to facilitate and enhance the user-friendliness of the website and to provide various functionalities. Such technologies include cookies.

What is a cookie? 

The data controller uses cookies during the visit to the website. A cookie is an information package consisting of letters and numbers, which our website sends to your browser to save certain settings, facilitate the use of our website, and help us collect some relevant statistical information about our visitors.

Some cookies do not contain personal information and are not suitable for identifying individual users, while others contain a unique identifier—a secret, randomly generated number—that is stored on your device, thereby allowing the identification of your device. The duration of each cookie’s operation is described in the relevant cookie’s description.

Legal background and basis for cookies: There are generally three types of cookies: essential cookies necessary for the website’s proper functioning, statistical cookies, and marketing cookies. The legal basis for processing cookies is your consent under Article 6(1)(a) of the Regulation for statistical and marketing cookies, and the legitimate interest under Article 6(1)(f) of the Regulation for essential cookies necessary for the website’s operation.

Main characteristics of cookies used by the website:

Essential cookies: If you do not accept the use of these cookies, certain functions may not be available to you.

Strictly necessary cookies: These cookies are essential for the use of the website and enable the basic functions of the website. Without these cookies, many functions of the site may not be available to you. The lifespan of these cookies is limited to the session duration.

Session cookies: These cookies store information such as the visitor’s location, browser language, and payment currency. Their lifespan is until the browser is closed, or a maximum of 2 hours.

Recommended products cookie: Records the list of products you want to recommend under the “recommend to a friend” feature. Its lifespan is 60 days.

Cookie acceptance cookie: Records your acceptance of the cookie storage declaration when you arrive on the page. Its lifespan is 365 days.

Statistical cookies: Cookies for improving user experience: These cookies collect information about the user’s website usage, such as which pages are visited most often or what error messages are received from the website. These cookies do not collect information that identifies the visitor, meaning they work with completely general, anonymous information. The data obtained from these cookies is used to improve the website’s performance. The lifespan of these cookies is limited to the session duration.

Referrer cookies: Record from which external page the visitor arrived on the site. Their lifespan is until the browser is closed.

Recently viewed product cookie:

Records the products you have recently viewed. Its lifespan is 60 days.

Recently viewed category cookie:

Records the last viewed category. Its lifespan is 60 days.

Cart cookie:

Records the products added to the cart. Its lifespan is 365 days.

Intelligent offer cookie:

Records the conditions for displaying intelligent offers (e.g., whether the visitor has been to the site before, if there is an order). Its lifespan is 30 days.

Remarketing cookies:

May appear on other websites within the Google Display Network when browsing or searching for terms related to the company’s products or services.

Facebook pixel (Facebook cookie):

The Facebook pixel is a code that helps create reports on conversions, build target audiences, and provides detailed analytics about visitors’ use of the website. The Facebook pixel allows displaying personalized offers and ads on Facebook. You can study Facebook’s privacy policy here: https://www.facebook.com/privacy/explanation

For more information on deleting cookies, please see the following links:

• Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11
• Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Mozilla: Clear cookies and site data in Firefox | Firefox Help (mozilla.org)
• Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
• Chrome: https://support.google.com/chrome/answer/95647
• Edge: Manage cookies in Microsoft Edge: View, allow, block, delete and use – Microsoft Support

Google Analytics cookies: Google Analytics cookies are necessary for analyzing website traffic.

Scope of data subjects in data processing: Website visitors.

Purpose of data processing: Additional services, identification, tracking visitors.

Legal basis for data processing: User consent is not required if the service provider needs cookies for essential functions.

Scope of data: Unique identifier, time, setting data.

Data processors authorized to access the data: The data controller does not process personal data through cookies.

Data storage method: Electronic.

7 Social Media

On our website, we use social network pixels (Facebook, Instagram, YouTube, TikTok). The pixels are activated and your data is processed by the social networks only if you have consented to the processing of personal data by social networks in the “Privacy Settings” center.

If you are a registered user of a social network whose pixels we use (Facebook, Instagram, YouTube, TikTok), your visit to our website can be linked to your user account on that social network. Please be aware that social networks may associate data collected through the pixels used on our website with other personal data about you, even if you are not a user of the social network.

Additionally, please note that the providers of social networks may process personal data handled through the pixel for their own purposes.

Purpose of data processing: To display information and advertisements about our products, offers, and services on the social network.

Personal data processed: IP address, browser, operating system.

Legal basis for data processing: Voluntary consent of the data subjects (Article 6(1)(a) of GDPR).

Duration of data processing: We process your personal data only as long as necessary to achieve the mentioned purposes.

8. Data processors engaged:

– For storing personal data, the data processor is Lion Stack Kft., based on a data processing agreement for data storage (hosting service).

  Data processor contact information:

  Phone: +36 30 883 8442

  Email: info@lionstack.hu

  Address: 6500 Baja, Kölcsey Ferenc u. 102. 4. em. 10.

  Website: https://lionstack.hu/

– For providing the online appointment booking interface, the data processor is Beauty World Net Kft. (1066 Budapest, Teréz krt. 38. I. em. 110/C., Cgj: 01-09-982082).

  Data processor contact information:

  Phone: +36 70 325 7037

  Email: info@bwnet.hu

  Website: bwnet.hu

– For providing newsletter services, the data processor is The Rocket Science Group LLC (Mailchimp) (512 Means St. Suite 404 Atlanta, GA 30318 USA, www.mailchimp.com). Mailchimp’s privacy policy is available at https://mailchimp.com/legal/privacy.

– The data controller is entitled to transfer personal data (name, phone number, address) provided in the order to a third party involved in the performance of oxygen therapy treatments and the actual provision of the therapy, who acts as a data processor in the fulfillment of the order.

– For fulfilling accounting and bookkeeping obligations related to completed orders, the data controller transfers personal data related to the completed order to a third-party accounting service provider.

9. Handling of Other Consumer Protection Complaints

The data processing is carried out to handle consumer protection complaints. If you have submitted a complaint to us, data processing and providing your data are essential.

The data processed in this context include:

• Customer’s name,
• Phone number,
• Email address,
• Content of the complaint.

Data Retention Period

Warranty complaints are retained for 5 years as required by the consumer protection law.

Legal Basis

Submitting a complaint to us is your voluntary decision. However, if you do submit a complaint, we are required to keep it for 3 years under Section 17/A (7) of Act CLV of 1997 on Consumer Protection [Data Processing under Article 6(1)(c) of the Regulation].

10. Handling Data Protection Incidents

Reporting a Data Protection Incident

A data protection incident, if not addressed promptly and appropriately, can cause harm to individuals, such as loss of control over personal data, restrictions on rights, discrimination, identity theft or misuse, financial loss, damage to reputation, and other disadvantages.

The data controller must report the data protection incident to the competent supervisory authority without undue delay, and if possible, within 72 hours after becoming aware of it, unless the incident is unlikely to result in a risk to the rights and freedoms of individuals. If the report is not made within 72 hours, reasons for the delay must be provided.

The data processor must report the data protection incident to the data controller without undue delay after becoming aware of it.

Contents of the Report:

• Description of the nature of the data protection incident, including, if possible, the categories and approximate number of data subjects, and the categories and approximate number of data affected;
• Contact details of the data protection officer or other relevant contact person;
• Likely consequences of the data protection incident;
• Measures taken or proposed by the data controller to address the incident, including, where applicable, measures to mitigate any adverse effects.

If it is not possible to provide all the information simultaneously, it may be provided in phases without undue delay.

The data controller maintains a record of data protection incidents, detailing the facts related to the incidents, their effects, and the measures taken to address them. This record allows the supervisory authority to verify compliance with requirements.

Informing the Affected Individuals

If a data protection incident is likely to result in a high risk to the rights and freedoms of individuals, the data controller must inform the affected individuals without undue delay.

The information provided to the affected individuals must clearly and understandably describe the nature of the data protection incident and include at least the following information and measures:

• Contact details of the data protection officer or other relevant contact person;
• Likely consequences of the data protection incident;
• Measures taken or proposed by the data controller to address the incident, including, where applicable, measures to mitigate any adverse effects.

The obligation to inform the affected individuals does not apply if:

• The data controller has implemented appropriate technical and organizational protection measures, and those measures have been applied to the data affected by the incident, particularly measures such as encryption that render the data unintelligible to unauthorized persons;
• The data controller has taken further measures after the data protection incident to ensure that the high risk to the rights and freedoms of the affected individuals is no longer likely;
• Providing the information would require disproportionate effort.

In such cases, affected individuals must be informed through publicly available information or other similar measures ensuring effective communication.

11. Rights of the Data Subjects

Transparent Information

Data subjects are entitled to clear, easily accessible, and comprehensible information from the data controller about the purpose of processing their personal data, the duration of processing, individuals or entities that will have access to their data, their rights as data subjects, the possibility of lodging a complaint, the fact of data transfer to third countries, and all essential data processing conditions.

Right of Access

Data subjects have the right to obtain feedback from the data controller on whether their personal data is being processed and, if so, to access their personal data and be informed about the processing conditions (purpose of processing, categories of personal data, recipients of personal data, duration of processing, data subject rights, right to lodge a complaint).

To meet security requirements and protect the rights of data subjects, the data controller must verify the identity of the person requesting access. Therefore, providing information, access to data, or issuing copies requires verifying the identity of the data subject.

Right to Rectification

Data subjects have the right to request that the data controller rectify inaccurate personal data concerning them without undue delay. Data subjects are also entitled to request the completion of incomplete personal data.

Right to Erasure (“Right to be Forgotten”)

Data subjects have the right to request the data controller to erase their personal data without undue delay, and the data controller is obliged to erase personal data without undue delay if any of the following reasons apply: the data subject withdraws their consent, the data subject successfully objects to the processing of their personal data, the data was processed unlawfully, or the data must be erased to comply with a legal obligation.

Right to Restriction of Processing

Data subjects have the right to request the data controller to restrict processing if: (a) the data subject disputes the accuracy of personal data, and processing is unlawful but the data subject opposes erasure, (b) the data controller no longer needs the personal data for processing purposes, but the data subject requires it for legal claims, or (c) the data subject objects to processing; in this case, restriction applies for the period during which it is determined whether the data controller’s legitimate reasons override the data subject’s interests, rights, and freedoms.

Right to Data Portability

Data subjects have the right to receive their personal data, provided to a data controller in a structured, commonly used, and machine-readable format, and to transmit this data to another data controller, provided that the processing is based on the data subject’s consent and is carried out by automated means.

Right to Object

Data subjects have the right to object, on grounds relating to their particular situation, at any time to the processing of their personal data when processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party. In this case, the data controller may no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing that override the data subject’s interests, rights, and freedoms, or is necessary for the establishment, exercise, or defense of legal claims.

Automated Decision-Making, Including Profiling

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects them, unless the processing is necessary for entering into or performing a contract between the data subject and the data controller, is authorized by law, or is based on the data subject’s explicit consent.

Right to Judicial Remedy

If a data subject believes that their personal data has been processed in violation of applicable data protection laws, they may lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) at 1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf. 9. Email: ugyfelszolgalat@naih.hu, website: A Hatóságról – Nemzeti Adatvédelmi és Információszabadság Hatóság (naih.hu), or they may seek judicial remedy, which will be expedited. The data subject can choose to file the complaint either at the court of their residence or temporary residence or the court where the data controller’s headquarters are located. The court of residence or temporary residence can be found at http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso. The Budapest Regional Court has jurisdiction for cases involving the data controller’s headquarters.

Submission of Requests by the Data Subject and Measures Taken by the Data Controller

The Data Controller facilitates the exercise of the rights of the Data Subject as specified in this chapter and in legal regulations. The Data Controller cannot refuse to fulfill a request for the exercise of the Data Subject’s rights, unless it can prove that it is not able to identify the Data Subject. The Data Controller shall inform the Data Subject of the measures taken in response to the request without undue delay, but no later than 30 (thirty) days from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline can be extended by an additional two months. The Data Controller must notify the Data Subject of the extension of the deadline, including the reasons for the delay, within one month from the receipt of the request.

Information should be provided electronically, if possible, unless the Data Subject requests otherwise. If the Data Controller does not take action in response to the Data Subject’s request, it must inform the Data Subject of the reasons for not taking action without undue delay, but no later than 30 (thirty) days from the receipt of the request. The Data Subject should be informed that they have the right to lodge a complaint with a supervisory authority and to seek judicial remedies.

The Data Controller provides information about data processing, information on the rights of the Data Subject, and the measures taken free of charge. If the request of the Data Subject is manifestly unfounded or, in particular, excessive due to its repetitive nature, the Data Controller may charge a fee or refuse to act on the request, taking into account the administrative costs of providing the requested information or taking the requested action. The Data Controller bears the burden of proving that the request is manifestly unfounded or excessive. If the Data Controller has reasonable doubts about the identity of the person making the request, it may request additional information necessary to confirm the Data Subject’s identity.

Legal appeal

Information, Complaints

If the Data Subject believes that their rights related to the processing of personal data have been infringed, they can contact the Data Controller at the provided contact details for information and the exercise of their rights.

Complaint Handling with the Authority

For further remedies, a complaint can be submitted to the National Authority for Data Protection and Freedom of Information. The Authority will only investigate complaints if the Data Subject has already contacted the Data Controller regarding the exercise of the rights mentioned in the complaint. The Data Subject can also take legal action against the Data Controller or contact the data protection authority in case of a violation of their rights. The contact details for lodging a complaint are as follows:

National Authority for Data Protection and Freedom of Information

Address: 1055 Budapest, Falk Miksa Street 9-11

Mailing Address: 1363 Budapest, P.O. Box 9

Phone:

+36 (30) 683-5969

+36 (30) 549-6838

+36 (1) 391 1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

Website: naih.hu

12. Technical and Organizational Measures to Ensure Data Security

Protection Against Malicious Software  

The Data Controller operates a multi-layered, heterogeneous protection system against widely prevalent harmful programs on its computers, network devices, and content filters.

Detailed Logging and Security Event Detection  

The Data Controller maintains technical logs of the systems and applications it operates. In the event of a data security or IT security incident, these logs enable the detection and reconstruction of such events.

Endpoint Protection  

The Data Controller employs firewalls and other intrusion detection software to provide continuous monitoring.

Protection of Physical Data Carriers and Documents  

The Data Controller uses lockable document and software cabinets, and has an internal document management policy in place. According to this policy, paper documents are stored in lockable cabinets and are accessible only to authorized individuals.

Advanced Spam and Web Activity Filtering Mechanisms  

The Data Controller uses an automated system to filter unsolicited (spam), phishing, and malicious code (malware) emails. It also monitors internet access and browsing activities from its network and devices. Automated systems are employed to block access to unsafe sites, and protective measures are in place to counteract specific, protocol-based attacks.

User Training  

The Data Controller places a strong emphasis on the ongoing education of its staff concerning information security practices.

13. Compensation and Damages

Anyone who has suffered material or non-material damage as a result of a violation of data protection regulations is entitled to compensation from the Data Controller or Data Processor. The Data Processor is liable for damage caused by data processing only if it has not complied with the specific obligations imposed on data processors by law or if it has ignored or acted contrary to the lawful instructions of the Data Controller.

If multiple Data Controllers or Data Processors are involved in the same data processing and are responsible for the damage caused by the processing, each Data Controller or Data Processor is jointly and severally liable for the entire damage.

14. Definitions and Glossary:

Data Subject: any natural person identified or identifiable based on any information;

Personal Data: any information related to the Data Subject;

Consent: the voluntary, explicit, and informed expression of the Data Subject’s will, indicating acceptance of the processing of their personal data, either through a declaration or other unambiguous indication of their wishes;

Data Controller: a natural or legal person, or an entity without legal personality, who or which determines the purpose and means of data processing, alone or with others, and decides on the data processing (including the tools used) and carries it out, or has it carried out by a Data Processor;

Data Processing: any operation or set of operations performed on data, regardless of the applied procedure, including collection, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, restriction, erasure, and destruction, as well as preventing further use of the data, making photographic, audio, or video recordings, and recording physical characteristics for identification purposes (e.g., fingerprints, palm prints, DNA samples, iris images);

Data Transfer: making data available to a specified third party;

Disclosure: making data available to anyone;

Data Erasure: rendering data unrecognizable in such a way that its restoration is no longer possible;

Data Restriction: marking stored data to restrict its further processing;

Data Destruction: complete physical destruction of the data-containing medium;

Data Processing: the totality of data processing operations carried out by a Data Processor on behalf of or at the direction of the Data Controller;

Data Processor: a natural or legal person, or an entity without legal personality, who or which processes personal data on behalf of or at the direction of the Data Controller, within the limits specified by law or mandatory EU legal acts;

Third Party: a natural or legal person, or an entity without legal personality, who or which is not the Data Subject, Data Controller, Data Processor, or persons acting under the direct authority of the Data Controller or Data Processor, and who performs data processing operations.

15. Other Provisions

This Privacy Notice is published by Hair-Szabó Ltd. (Data Controller) on its website (www.szaboimre.hu). The Data Controller may unilaterally amend this notice. The current version of the notice is available on the Data Controller’s website, which also provides information about any modifications to the notice.

This Privacy Notice provides current, complete, and fundamentally final information about the processing of personal data related to our website. It requires regular updates. To stay informed about the current status of the Privacy Notice, we recommend reading this Privacy Notice regularly.

Signature

Issued by:

Robert Szabó, Managing Director