1. Scope of the Data Protection Policy
1.1. This data protection policy contains the rules for the processing of personal data during the use by the User of the services provided by the Data Controller, (hereinafter referred to as the Data Controller), on the website operating under the domain names www.cst.hu and www.cranio-terapia.hu (hereinafter referred to as the website) and personally by Németh Ágnes e.v. (registered office: 2009 Pilisszentlászló, Kossuth L. u. 16., registration number: 35355293, tax number: 66485236-1-33, e-mail address: cranio@cst.hu, telephone number: 06 20 969 7976) operating under the domain names www.cst.hu and www.cranio-terapia.hu (hereinafter referred to as the Data Controller). By using the services provided on the website, the User acknowledges that this data protection policy is binding on him/her.
1.2. This policy simultaneously takes into account the provisions of Regulation 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation” or “GDPR”), Act CXII of 2011 on the right to information self-determination and freedom of information (“Infotv.”), Act V of 2013 on the Civil Code (“Ptk.”), Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity (“Grtv.”), Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society, and Act C of 2000 on accounting (regarding the issuance and preservation of documents). The regulation necessarily stipulates that, in addition to maintaining the general principles, the records (data) and documents to be retained for the period specified by individual sectoral laws may, as appropriate and necessary, contain personal data, the storage of which for the period specified by law may not infringe the rights of individuals.
1.3. The Data Controller reserves the right to amend the data protection regulation. The data protection regulation may only be amended within the framework of the data protection legal provisions and with content corresponding to them. The Data Controller is obliged to publish the amended data protection regulation on its website in the same way as the previous one. The amendment shall enter into force on the day following its publication. The use and utilization of any service provided by the Data Controller constitutes acceptance of the amended data protection regulation.
1.4. Definitions
1.4.1 Data file: the set of data managed in a register
1.4.2 Data processing: any operation or set of operations performed on Personal Data, regardless of the procedure used, in particular the collection, recording, systematization, structuring, storage, transformation, alteration, use, query, inspection, communication, transmission, dissemination or otherwise making available, disclosure, coordination or combination, restriction, deletion and destruction of Personal Data.
1.4.3 Data Controller: the person who determines the purposes and means of Data Processing – independently or jointly with others. In the case of the Services referred to in these Regulations, Németh Ágnes e.v. is considered to be the Data Controller
1.4.4 Personal data: any data or information on the basis of which a natural person User can be identified – directly or indirectly.
1.4.5 Data Processor: the service provider that processes personal data on behalf of the Data Controller.
1.4.6 Service(s): the services provided by the Data Controller, which the Data Controller provides as accessible services to Users as customers, and which perform data processing within the scope of its activities.
1.4.7 User: the natural person who uses any of the Data Controller’s Services or contacts the Data Controller with a view to potentially using a Service, and in this context provides at least one piece of personal data listed in point 1.5 below.
1.4.8 Website: the website operated by the Data Controller: www.cst.hu (also available at the web address www.cranio-terapia.hu) and the social media platforms belonging to the websites.
1.4.9 Data file: the totality of data managed in a register
1.4.10 Data destruction: the complete physical destruction of the data medium containing the data;
1.4.11. Data transfer: if the data is made accessible to a specific third party;
1.4.12 Disclosure: if the data is made accessible to anyone;
1.4.13 Data deletion: making the data unrecognizable in such a way that their recovery is not possible;
1.5 Scope of personal data managed
1.5.1 If the User visits a Service interface, the Data Controller’s system automatically records the User’s IP address.
1.5.2 The Data Controller may process the following data in connection with the use of the Services and in the event of concluding a contract: name, e-mail address, telephone number, place of birth, time, mother’s name, ID card number, social security number and other data voluntarily provided by the User, which are necessary for the provision of the Service.
1.5.3 If the User uses an e-mail address for the purpose of using a Service
lt or calls, the Data Controller records the User’s e-mail address and/or telephone number and processes it to the extent and for the period necessary to provide the service.
1.6 Scope of additional data processed by the Data Controller,
1.6.1 In order to provide customized service, the Data Controller may send a specialized data package (so-called “cookie”) to the User’s computer. The Data Controller may process the following Personal Data using cookies: demographic data and interests, habits, preferences based on the parameters provided by the user, which are based on browsing history. The purpose of using cookies is to ensure the highest possible level of operation of the given site and personalized services, as well as to increase the user experience. The User can delete the cookie from his/her own computer, or set and parameterize his/her device in such a way that the use of cookies is automatically prohibited. By prohibiting the use of cookies, the User acknowledges that without cookies, the operation of the given site is not complete, and the use of certain services may be limited or hindered.
2. Purpose, legal basis and scope of data processing
2.1. In the course of the services provided by the Data Controller, the Data Controller is considered the Data Controller, who does not use a data processor for data processing. The Data Controller carries out data processing with its own technical means.
2.2. The User’s personal data may only be accessed by the Data Controller, as well as by the persons to whom the personal data has been transmitted.
2.3. In the case of data processing based on consent, data processing is always carried out on the basis of the User’s voluntary, conscious and informed consent, free from influence, solely for the purpose specified in this data protection policy, to the extent and for the period strictly necessary to achieve the purpose, in a manner suitable for achieving the purpose, in accordance with the provisions of data protection legislation.
2.4. When contacting the Data Controller via the contact form on its website, the User expressly declares that he/she consents to the processing of his/her personal data and that he/she has read and accepted this Data Protection Policy as binding on him/her.
2.5. The legal basis for the processing of personal data when contacting the Data Controller is that the data processing is necessary for the performance of a service in which the data subject is one of the parties, or for taking steps at his/her request.
2.6. Purpose of data processing:
The Data Controller uses the data to provide Services and to fulfill legal obligations, in particular for the following purposes:
keeping in touch, the primary purpose of which is to provide Users with appropriate information and to respond to messages sent by the User;
in the case of social services (facebook, instagram, etc.), ensuring the identification of Users and the Data Controller by each other and enabling their communication with each other;
fulfilling the obligation to invoice, tax return and retain documents.
The Data Controller shall retain personal data for the period strictly necessary to achieve the purpose, or for as long as it is required to do so by law. The data shall be deleted at the request of the user, or after the contract has not been concluded, the contract has been terminated and fulfilled, if the processing of the data is no longer necessary in order to enforce the claim arising from the contract, or the Data Controller has voluntarily waived the purpose of the data processing.
2.7. The Data Controller shall not process any other data in addition to the data related to the use of the Service provided by it. If it processes other data for the purpose of increasing the efficiency of its service, sending electronic advertising or other targeted content to the user, market research and statistics, it shall process them – only after prior determination of the purpose of data processing – after informing the User accordingly and based on his/her express consent.
2.8. When using certain services provided on the website, the communications of Users may contain personal data relating to the User, other Users or other third parties, which are thus processed by the Data Controller. The Data Controller processes the personal data processed by the Data Controller in this way for the purpose arising from the function of the given service for the duration of the provision of the service.
3. Data transfer
3.1. The Data Controller may transfer personal data processed by the Data Controller to third parties only with the prior consent of the User, with prior information about the purpose of the data transfer.
3.2. Data processing
The Data Controller uses the Data Processors named in these Regulations to carry out its activities. The Data Processors do not make independent decisions, but only on the basis of the agreement concluded with the Data Controller.
contract, and are entitled to act in accordance with the instructions received. The Data Controller continuously monitors the activities of the Data Processors and the protection of personal data. The Data Processors are entitled to use other data processors or subcontractors only with the consent of the Data Controller.
4. Data Security
4.1. The Data Controller shall do everything in its power to prevent and eliminate the knowledge or access of the personal data it processes by unauthorized persons. To ensure this, the Data Controller shall use technical and IT tools and solutions that comply with industry standards, and shall take appropriate measures. In doing so, the Data Controller shall pay particular attention to the fact that the services provided on the website can be used via an open access internet network, which requires enhanced security measures.
4.2. Although the Data Controller takes all reasonable measures to ensure data security, due to the rapid development and change of information and communication technology, and given that the dangers arising from the characteristics of IT cannot be completely excluded in advance, it is possible that a third party may gain access to the personal data processed by the Data Controller through illegal activities, in a manner unknown to the Data Controller, despite the security measures applied by the Data Controller. The Data Controller shall not be liable for any resulting personal damage or misuse of personal data processed by the Data Controller and for any misuse of personal data acquired by a third party in this way.
5. Duration of the Data Controller’s data processing
5.1. If, after the contact is made, the Data Controller and the User do not use the service, the Data Controller shall process the personal data until the date of failure of the service.
5.2. If, after the contact, the Data Controller and the User use the service, the Data Controller will process the data as long as a claim can be asserted in relation to the service (based on the general limitation period under the Civil Code), or as long as it is obliged to do so by law.
5.3. If the deletion of personal data is ordered by a court or a final decision of the competent authority, the Data Controller will implement it within the shortest possible time after receipt. Otherwise, the Data Controller will not delete Personal Data until the date on which the purpose of the data processing or the legal obligation that precluded the deletion of the personal data exists.
6. Rights of the data subjects related to data processing
6.1. The User is entitled at any time to learn which personal data the Data Controller processes for which purpose, and which personal data the Data Controller has forwarded to which third party for which purpose. The User may request the correction of his/her personal data or its deletion in accordance with the provisions of this data protection regulation. The User may make the request for information by e-mail sent to the e-mail address cranio@cst.hu.
6.2. The Data Controller considers the request for information sent by letter to be justified if the request allows the applicant to be identified beyond doubt and unambiguously. The Data Controller reserves the right to request other identification data from the applicant in case of doubt before fulfilling the request for information.
6.3. The request for information may cover the applicant’s data processed by the Data Controller, their source, the legal basis, purposes, duration of the data processing, the name and address of any data processors, the activities related to the data processing, and if the personal data has been transferred, who has received or will receive his/her data and for what purpose.
6.4. The Data Controller is obliged to provide the information in writing and in a plain language as soon as possible after the User submits their request for information, but no later than 25 days.
6.5. The User may request the correction, rectification or modification of their personal data processed by the Data Controller. Taking into account the purpose of the data processing, the User may request the completion of incomplete personal data. After the request for modification of personal data is fulfilled, previous data cannot be restored.
6.6. The User may request the deletion of their Personal Data processed by the Data Controller. Deletion may be refused on the grounds of legal authorization, for the purpose of exercising the right to freedom of expression and information. The Data Controller shall inform the User of the refusal of the deletion request in each case, indicating the reason for the refusal. After the request for deletion of personal data is fulfilled, previous data cannot be restored. Letters sent by the Data Controller can be unsubscribed via the unsubscribe link in them. In case of unsubscription, the data controller will delete the User’s personal data in the newsletter database.
6.7. The User may also request that his/her personal data be yes data shall be restricted by the Data Controller if the User disputes the accuracy of the processed personal data. In this case, the restriction shall apply for a period of time that allows the Data Controller to verify the accuracy of the Personal Data. The Data Controller shall mark the personal data it processes if the User disputes its accuracy or correctness, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established. The User may request that the processing of his/her personal data be deleted and instead request the restriction of their use.
6.8. The User may request that the Data Controller provide the Personal Data provided by the User and processed by the User in an automated manner in a structured, commonly used, machine-readable format and/or transmit them to another data controller.
6.9. The User may object to the processing of his/her Personal Data if the processing of the Personal Data is necessary solely for the fulfilment of a relevant legal obligation of the Data Controller or for the exercise of the legitimate interests of the Data Controller, the Data Controller of a Service or a third party, if the purpose of the data processing is public opinion research, direct marketing or scientific research; or if the data processing is carried out for reasons of public interest. The Data Controller shall examine the legality of the User’s objection and, if it determines that the objection is well-founded, shall terminate the data processing and block the Personal Data processed, and shall notify all those to whom the Personal Data affected by the objection have previously been transmitted of the objection and of the measures taken on the basis thereof.
6.10. The information set out in point 6.1. is free of charge if the person requesting the information has not yet submitted a request for information to the Data Controller in the same area in the current year. In other cases, a cost reimbursement may be determined. The already paid reimbursement must be refunded if the data was processed unlawfully or the request for information led to a correction.
6.11. In addition to the above information, the Data Controller ensures that the User can find out at any time before and during the use of the service for which data processing purposes the Data Controller processes which types of data.
6.12. The User may directly contact the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu) with a complaint related to data processing.
6.13. In the event of a violation of the User’s rights, the User may apply to court. The adjudication of the lawsuit in the case of a claim for non-pecuniary sanctions falls within the jurisdiction of the court, while the adjudication of exclusively pecuniary claims arising from the violation of personal rights and damages falls within the jurisdiction of the district court. Upon request, the Data Controller shall inform the User about the possibility of legal remedies and their means.
6.14. In matters not mentioned in this data protection regulation, the provisions of Regulation 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”) and Act CXII of 2011 on the right to informational self-determination and freedom of information (“Infotv.”) shall apply.
Budapest, May 25, 2018
Ágnes Németh e.v.