Privacy Policy

PRIVACY POLICY
ON THE RIGHTS OF THE NATURAL PERSON CONCERNED
IN REGARD TO THE PROCESSING OF HIS PERSONAL DATA

TABLE OF CONTENTS

INTRODUCTION
CHAPTER I: NAME OF THE DATA CONTROLLER
CHAPTER II: NAME OF THE DATA PROCESSORS

1. Our Company’s IT service provider
2. Our Company’s accounting service provider
   CHAPTER III: EMPLOYMENT-RELATED DATA PROCESSING
3. Labor and personnel records
4. Data processing related to aptitude tests
5. Data processing of employees applying for employment, applications, CVs
   IV. CHAPTER: DATA PROCESSING RELATED TO CONTRACT
6. Processing of data of contracting partners – registration of customers, suppliers
7. Contact details of natural person representatives of legal entity clients, customers, suppliers
8. Visitor data processing on the Company’s website
9. Information on the use of cookies
10. Community guidelines / Data processing on the Company’s Facebook page
    CHAPTER V: DATA PROCESSING BASED ON LEGAL OBLIGATIONS
11. Data processing for the purpose of fulfilling tax and accounting obligations
12. Payer data processing
    CHAPTER VI: SUMMARY INFORMATION ON THE RIGHTS OF THE DATA SUBJECT
    CHAPTER VII: DETAILED INFORMATION ON THE RIGHTS OF THE DATA SUBJECT
    VIII. CHAPTER: SUBMISSION OF THE DATA SUBJECT’S REQUEST, MEASURES OF THE DATA CONTROLLER

INTRODUCTION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (hereinafter referred to as the Regulation) requires that the Data Controller shall take appropriate measures to provide the data subject with any information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, and that the Data Controller shall facilitate the exercise of the data subject’s rights.
The data subject’s obligation to provide prior information is also prescribed by Act CXII of 2011 on the right to informational self-determination and freedom of information.
We comply with this legal obligation with the information provided below.
The information must be published on the company’s website or sent to the person concerned upon request.

CHAPTER I: NAME OF THE DATA CONTROLLER

The publisher of this information, also the Data Controller:
Company name: Laser-Derm Kft.
Registered office: 7632 Pécs, Keszűi út 43.
Company registration number: 02-09-079656
Tax number: 24204899-1-02
Representative: dr. Attila Schmelás
Telephone number: +36309934956
E-mail address: schmelas.attila@borgyogyaszpecs.hu
Website: www.borgyogyaszpecs.hu
(hereinafter referred to as: Company)

II. CHAPTER: NAME OF DATA PROCESSORS

Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller; (Article 4, point 8 of the Regulation)

The use of a data processor does not require the prior consent of the data subject, but it is necessary to inform him/her. Accordingly, we provide the following information:

1. Our company’s IT service provider
   Our company uses a data processor to maintain and manage its website, who provides IT services (hosting services), and in this context – for the duration of our contract with him/her – processes the personal data provided on the website, the operation performed by him/her is the storage of personal data on the server.
   The name of this data processor is as follows:
   Company name: Légy a hálón Bt.
   Registered office: 8660 Lulla, Kossuth L. u. 41.
   Company registration number: 14-06-309098
   Tax number: 21880735-1-14
   Representative: Csaba Perger
   Telephone number: +36-30-3126474
   E-mail address: perger@legyahalon.hu
   Website: www.legyahalon.hu
2. Our Company’s accounting service provider
   Our Company uses an external service provider under an accounting service provider contract to fulfill its tax and accounting obligations, who also processes the personal data of natural persons in a contractual or payer relationship with our Company, for the purpose of fulfilling the tax and accounting obligations of our Company.
   The name of this data processor is as follows:
   Company name: Zsinkó Kft.
   Registered office: 7632 Pécs, Nagy Imre út 90. fszt. 1. ,
   Company registration number: 02-09-065352
   Tax number: 11548285-2-02
   Representative: Andrea Krámosné Schweitzer
   Telephone number: 06-72/411-462
   E-mail address: zsinko.kft@t-online.hu
   Website: http://www.zsinkokft.hu

CHAPTER III: DATA PROCESSING RELATED TO EMPLOYMENT

1. Labor and personnel records
   (1) Only such data may be requested from employees and recorded, and only such job-related medical fitness examinations may be performed, which are necessary for the establishment, maintenance and termination of employment and do not violate the employee’s personal rights.

2) The Company processes the following data of the employee for the purpose of establishing, fulfilling or terminating an employment relationship in order to enforce the legitimate interests of the employer (Article 6 (1) paragraph f) of the Regulation):

1. name,
2. birth name,
3. date of birth,
4. mother’s name,
5. address,
6. citizenship,
7. tax identification number,
8. TAJ number,
9. pensioner registration number (in the case of a pensioner),
10. telephone number,
11. e-mail address,
12. identity card number,
13. official ID card number proving address,
14. start and end date of employment,
15. job title,
16. copy of document proving educational qualification, professional qualification,
17. amount of salary, data related to salary payment and other benefits,
18. method and reasons for termination of employment,
19. summary of job suitability tests,

(3) The employer shall process data relating to illness and trade union membership only for the purpose of fulfilling the rights or obligations specified in the Labour Code.
(4) Recipients of personal data: the employer’s manager, the person exercising the employer’s authority, the Company’s employees and data processors performing labor-related tasks.
(5) Only the personal data of employees in management positions may be transferred to the owners of the Company.
(6) The period of storage of personal data: 1 year after the termination of the employment relationship.
(7) Before the start of data processing, the data subject must be informed that the data processing is based on the Labor Code and the enforcement of the employer’s legitimate interests.

2. Data processing related to suitability tests
   (1) Only suitability tests may be applied to an employee that are prescribed by a rule relating to employment or that are necessary for the exercise of a right or the fulfillment of an obligation specified in a rule relating to employment. Before the test, employees must be informed in detail, among other things, about the skills and abilities that the suitability test aims to assess, and the means and methods used to conduct the test. If a law requires the examination to be carried out, employees must be informed of the title of the law and the exact location of the law.
   (2) The scope of personal data to be processed: the fact of suitability for the job and the necessary conditions for this.
   (3) The legal basis for data processing: the legitimate interest of the employer.
   (4) The purpose of processing personal data: establishing and maintaining an employment relationship, filling a job.
   (5) Recipients of personal data and categories of recipients: the results of the examination may be known to the examined employees and the specialist performing the examination. The employer may only receive information about whether the examined person is suitable for the job or not, and what conditions must be provided for this. However, the employer may not learn the details of the examination or its full documentation.
   (6) The duration of processing personal data: 1 year after the termination of the employment relationship.

IV. CHAPTER: DATA PROCESSING RELATED TO CONTRACT

1. Processing of data of contracting partners – registration of customers, suppliers
   (1) The Company processes the name, birth name, date of birth, address, tax identification number, tax number, entrepreneur, primary producer ID number, identity card number, address, registered office, location address, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, regular purchase lists) of the natural person who has contracted with it as a customer or supplier for the purpose of concluding, fulfilling, terminating the contract and providing contractual benefits. This data processing is considered lawful even if the data processing is necessary to take steps at the request of the data subject prior to concluding the contract. Recipients of personal data: employees of the Company performing tasks related to customer service, employees performing accounting and tax tasks, and data processors. Duration of personal data processing: 1 year after the termination of the contract.
   (2) The data subject must be informed before the start of data processing that the data processing is based on the legal title of the performance of the contract, this information may also be provided in the contract.
   (3) The data subject must be informed about the transfer of his/her personal data to the data processor.
2. Contact details of natural person representatives of legal entity clients, buyers, suppliers
   (1) The scope of personal data that can be processed: name, address, telephone number, e-mail address, online identifier of the natural person.
   (2) Purpose of personal data processing: performance of the contract concluded by the Company with a legal entity partner, business relations, legal basis: consent of the data subject.
   (3) Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service.
   (4) Duration of storage of personal data: 1 year after the business relationship or the representative status of the data subject has been established.
3. Visitor data management on the Company’s website
   (1) Cookies are short data files that are placed on the user’s computer by the visited website. The purpose of a cookie is to make the given infocommunication and internet service easier and more convenient. There are many types, but they usually fall into two main groups:rt. One is a temporary cookie, which the website places on the user’s device only during a given session (e.g. during the security identification of an online banking session), the other type is a permanent cookie (e.g. the language setting of a website), which remains on the computer until the user deletes it. According to the European Commission’s guidelines, cookies (unless they are strictly necessary for the use of the given service) may only be placed on the user’s device with the user’s permission.
   (2) In the case of cookies that do not require the user’s consent, information must be provided during the first visit to the website. It is not necessary for the full text of the information on cookies to appear on the website; it is sufficient for the website operators to briefly summarize the essence of the information and refer to the availability of the full information via a link.
   (3) In the case of cookies that require consent, the information may also be related to the first visit to the website if the data processing associated with the use of cookies begins with the visit to the website. If the use of the cookie is related to the use of a function specifically requested by the user, the information may also be displayed in connection with the use of this function. In this case, it is not necessary for the full text of the cookie information to be displayed on the website; a brief summary of the essence of the information and a link to the full information are sufficient.
4. Information on the use of cookies

(1) In accordance with general Internet practice, our Company also uses cookies on its website. A cookie is a small file containing a series of characters that is placed on the visitor’s computer when they visit a website. When they visit the given website again, the website is able to recognize the visitor’s browser thanks to the cookie. Cookies may store user settings (e.g. selected language) and other information. Among other things, they collect information about the visitor and their device, remember the visitor’s individual settings, and may be used, e.g. when using online shopping carts. Cookies generally facilitate the use of the website, help the website to provide users with a real web experience and an effective source of information, and ensure that the website operator can monitor the operation of the website, prevent abuse and provide the services provided on the website in a smooth and appropriate manner.
(2) Our company’s website records and processes the following data about the visitor and the device used for browsing when using the website:

• the IP address used by the visitor,
• the browser type,
• the characteristics of the operating system of the device used for browsing (set language),
• the time of the visit,
• the (sub)page, function or service visited.
  (3) Accepting or allowing the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to indicate when the system is sending a cookie. Although most browsers automatically accept cookies by default, these can usually be changed to prevent automatic acceptance and to offer the option of choosing each time. In addition, we draw your attention to the fact that certain website functions or services may not function properly without cookies.
  (4) The cookies used on the website are not capable of identifying the user themselves.

(5) Cookies used on the company website:

1. Technically necessary session cookies
   These cookies are necessary for visitors to browse the website, to use its functions smoothly and to the full extent, including, among other things, to remember the actions performed by the visitor on the given pages during a visit. The duration of data processing of these cookies applies only to the visitor’s current visit; this type of cookie is automatically deleted from your computer when the session ends or the browser is closed.
   The data subject is: AVChatUserId, JSESSIONID, portal_referer.
   The legal basis for this data management is Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elkertv.) Section 13/A. (3).
   The purpose of data management: to ensure the proper functioning of the website.
2. Cookies requiring consent:
   These enable the Company to remember the user’s choices regarding the website. The visitor may prohibit this data management at any time before and during the use of the service. These data cannot be linked tossze with the user’s identification data and cannot be transferred to a third party without the user’s consent.
   2.1. Cookies facilitating use:
   The legal basis for data management is the visitor’s consent.
   The purpose of data management: Increasing the efficiency of the service, increasing the user experience, making the use of the website more convenient. The duration of data management is 6 months.
   2.2. Performance cookies:
   Google Analytics cookies – you can find information about this here:
   https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
   Google AdWords cookies – you can find information about this here:
   https://support.google.com/adwords/answer/2407785?hl=hu
3. Community guidelines / Data management on the Company’s Facebook page
   (1) The Company maintains a Facebook page to introduce and promote its products and services.
   (2) A question on the Company’s Facebook page does not constitute an officially submitted complaint.
   (3) The Company does not process personal data published by visitors on the Company’s Facebook page.
   (4) Visitors are subject to Facebook’s Privacy and Service Terms.
   (5) In the event of the publication of illegal or offensive content, the Company may exclude the data subject from membership or delete their comments without prior notice.
   (6) The Company is not liable for data content or comments published by Facebook users that violate the law. The Company is not liable for any errors, malfunctions or problems arising from changes to the operation of Facebook.

CHAPTER V: DATA PROCESSING BASED ON LEGAL OBLIGATIONS

1. Data processing for the purpose of fulfilling tax and accounting obligations
   (1) The Company processes the data of natural persons entering into business relations with it as buyers or suppliers, as specified by law, on the basis of the fulfillment of a legal obligation and for the purpose of fulfilling tax and accounting obligations prescribed by law (accounting, taxation). The data processed are, in particular, pursuant to Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax: tax number, name, address, tax status; pursuant to Section 167 of Act C of 2000 on Accounting: name, address, designation of the person or organization ordering the economic transaction, the signature of the person issuing the order and the person certifying the execution of the order, and, depending on the organization, the signature of the auditor; on the stock movement documents and cash management documents, the signature of the recipient, and on the counter-receipts, pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneur’s certificate number, primary producer’s certificate number, tax identification number.
   (2) The storage period of personal data is 8 years after the termination of the legal relationship that gives rise to the legal basis.
   (3) Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security tasks.
2. Payer data processing
   (2) The Company processes the personal data of those data subjects – employees, their family members, employees, recipients of other benefits – prescribed in tax laws, with whom its payers (2017:CL. Act on the Taxation System (Art.) 7.§ 31.) are in a relationship, for the purpose of fulfilling a legal obligation and fulfilling tax and contribution obligations prescribed by law (assessment of tax, tax advance, contributions, payroll, social security administration). The scope of the processed data is defined in Art. 50.§-a defines, especially highlighting: the natural person’s personal identification data (including the previous name and title), gender, citizenship, the natural person’s tax identification number, social security identification number (TAJ number). If the tax laws attach legal consequences to this, the Company may process the employees’ health (Szja tv. § 40) and trade union (Szja § 47.(2) b./) membership data for the purpose of fulfilling tax and contribution obligations (payroll, social security administration).
   (2) The storage period of personal data is 8 years after the termination of the legal relationship that gives rise to the legal basis.
   (3) Recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (payer) tasks.

VI. CHAPTER: SUMMARY INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

In this chapter, for the sake of clarity and transparency, we briefly summarize the rights of the data subject, detailed information on the exercise of which is provided in the following chapter.

Right to prior information
The data subject has the right to be informed of the facts and information related to the data processing before the data processing begins. (Articles 13-14 of the Regulation) The detailed rules are provided in the following chapter.
Right of access of the data subject
The data subject has the right to receive feedback from the Data Controller as to whether his/her personal data is being processed and, if such processing is being carried out, to obtain access to the personal data and the related information specified in the Regulation.access. (Article 15 of the Regulation). The detailed rules are provided in the following chapter.
Right to rectification
The data subject shall have the right to obtain from the Controller, at his request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to obtain the completion of incomplete personal data, including by means of a supplementary statement. (Article 16 of the Regulation).
Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller shall be obliged to erase personal data concerning him or her without undue delay where one of the grounds set out in the Regulation applies. (Article 17 of the Regulation) The detailed rules are provided in the following chapter.
   Right to restriction of processing
   The data subject has the right to obtain from the Controller restriction of processing of personal data if the conditions set out in the Regulation are met. (Article 18 of the Regulation) The detailed rules are provided in the following chapter.
   Notification obligation related to the rectification or erasure of personal data or the restriction of processing
   The Controller shall inform all recipients to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The Controller shall inform the data subject of these recipients upon request. (Article 19 of the Regulation)
   Right to data portability
   Under the conditions set out in the Regulation, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another Data Controller without hindrance from the Data Controller to whom the personal data have been provided. (Article 20 of the Regulation) The detailed rules are set out in the following chapter.
   Right to object
   The data subject shall have the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her based on points (e) of Article 6(1) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) of Article 6(1) of the Regulation (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party). (Article 21 of the Regulation)
   The detailed rules are provided for in the following chapter.
   Automated decision-making in individual cases, including profiling
   The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. (Article 22 of the Regulation) The detailed rules are provided for in the following chapter.
   Restrictions
   Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the In accordance with the rights and obligations set out in Articles 12 to 22 and 34 and in Articles 12 to 22 (Article 23 of the Regulation), the detailed rules are provided in the following chapter.
   Informing the data subject about the data breach
   Where the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject about the data breach without undue delay. (Article 34 of the Regulation) The detailed rules are provided in the following chapter.
   Right to lodge a complaint with a supervisory authority (right to a judicial remedy)
   The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes the Regulation. (Article 77 of the Regulation) The detailed rules are provided in the following chapter.
   Right to an effective judicial remedy against a supervisory authority
   Every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her, or where the supervisory authority does not deal with a complaint or does not inform the data subject of the progress or the outcome of the complaint within three months. (Article 78 of the Regulation) The detailed rules are provided in the following chapter.
   Right to an effective judicial remedy against a controller or processor
   Every data subject shall have the right to an effective judicial remedy against a controller or processor if, in his or her opinion, the processing of personal data concerning him or her infringes this Regulation.the rights under this Regulation have been infringed as a result of its improper processing. (Article 79 of the Regulation)
   The detailed rules are provided in the following chapter.

CHAPTER VII: DETAILED INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

Right to prior information
The data subject shall have the right to be informed of the facts and information relating to the processing before the processing is carried out

A) Information to be provided where the personal data concerning the data subject are collected from the data subject

1. Where the personal data concerning the data subject are collected from the data subject, the data controller shall, at the time of obtaining the personal data, provide the data subject with all of the following information:
   a) the identity and contact details of the controller and, where applicable, of the controller’s representative;
   b) the contact details of the data protection officer, where applicable;
   c) the purposes of the intended processing of the personal data and the legal basis for the processing;
   d) in the case of processing based on point (f) of Article 6(1) of the Regulation (legitimate interests), the legitimate interests of the controller or of a third party;
   e) where applicable, the recipients of the personal data or, where applicable, the categories of recipients;
   f) where applicable, the fact that the controller intends to transfer the personal data to a third country or to an international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Articles 46, 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of them or their availability.
2. In addition to the information referred to in point 1, the controller shall, at the time of obtaining the personal data, inform the data subject of the following additional information in order to ensure fair and transparent processing:
   a) the period for which the personal data will be stored or, where that is not possible, the criteria for determining that period;
   b) the data subject’s right to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data, as well as the data subject’s right to data portability;
   c) in the case of processing based on Article 6(1)(a) of the Regulation (the data subject’s consent) or Article 9(2)(a) of the Regulation (the data subject’s consent), the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal;
   d) the right to lodge a complaint with a supervisory authority;
   e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for entering into a contract, and whether the data subject is obliged to provide the personal data, and what the possible consequences of not providing the data may be;
   f) the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in such cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
3. Where the controller intends to process personal data for purposes other than those for which they were collected, the controller shall inform the data subject of that purpose and of any relevant additional information referred to in paragraph 2 prior to the further processing.
4. Points 1 to 3 shall not apply if and to the extent that the data subject already has the information.
   (Article 13 of the Regulation)

B) Information to be provided where the personal data have not been obtained from the data subject

1. Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
   a) the identity and contact details of the controller and, where applicable, of the controller’s representative;
   b) the contact details of the data protection officer, where applicable;
   c) the purposes of the intended processing of the personal data and the legal basis for the processing;
   d) the categories of personal data concerned;
   e) the recipients of the personal data or categories of recipients, where applicable;
   (f) where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation, the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Articles 46, 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of them or their accessibility.
2. In addition to the information referred to in point 1, the controller shall make available to the data subject:shall provide the data subject with the following additional information necessary to ensure fair and transparent processing of the personal data:
   a) the period for which the personal data will be stored or, where that is not possible, the criteria for determining that period;
   b) where the processing is based on point (f) of Article 6(1) of the Regulation (legitimate interest), the legitimate interests of the controller or a third party;
   c) the right of the data subject to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of personal data, as well as the right of the data subject to data portability;
   d) in the case of processing based on point (a) of Article 6(1) of the Regulation (consent of the data subject) or point (a) of Article 9(2) of the Regulation (consent of the data subject), the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal;
   (e) the right to lodge a complaint with a supervisory authority;
   (f) the source of the personal data and, where applicable, whether the data are obtained from publicly available sources; and
   (g) the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in those cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
3. The controller shall provide the information referred to in points 1 and 2 as follows:
   (a) within a reasonable period, taking into account the specific circumstances of the processing of the personal data, from the date on which the personal data were obtained, but in any event not later than one month after the personal data were obtained;
   (b) where the personal data are used for the purpose of communicating with the data subject, at least at the time of the first communication with the data subject; or
   c) if the data are expected to be disclosed to other recipients, at the latest when the personal data are disclosed for the first time.
4. Where the controller intends to process personal data for purposes other than those for which they were collected, he shall inform the data subject of that purpose and of any relevant additional information referred to in point 2 before the processing.
5. Points 1 to 5 shall not apply if and to the extent that:
   a) the data subject already has the information;
   b) providing the information in question proves impossible or would involve a disproportionate effort, in particular in the case of processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, subject to the conditions and safeguards laid down in Article 89(1) of the Regulation, or where the obligation referred to in point 1 of this Article is likely to render impossible or seriously jeopardise the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including by making the information publicly available;
   c) the collection or disclosure of the data is expressly required by Union or Member State law to which the controller is subject and which provides for appropriate measures to safeguard the legitimate interests of the data subject; or
   d) the personal data must remain confidential by virtue of an obligation of professional secrecy laid down in Union or Member State law, including a statutory obligation of confidentiality. (Article 14 of the Regulation)

Right of access of the data subject

1. The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed and, where such processing is taking place, access to the personal data and to the following information:
   a) the purposes of the processing;
   b) the categories of personal data concerned;
   c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
   d) where applicable, the envisaged period for which the personal data will be stored or, where that is not possible, the criteria for determining that period;
   e) the right of the data subject to obtain from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;
   f) the right to lodge a complaint with a supervisory authority;
   g) where the data were not collected from the data subject, all available information on their source;
   h) the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in such cases, intelligible information on the logic involved and the significance of such processing and the effects it will have on the data subject.zve what the foreseeable consequences are.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.
3. The Controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For further copies requested by the data subject, the Controller may charge a reasonable fee based on the administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject otherwise requests. The right to request a copy shall not adversely affect the rights and freedoms of others. Article 15 of the Regulation)

Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller shall be obliged to erase personal data concerning him or her without undue delay where one of the following grounds applies:
   a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
   b) the data subject withdraws consent to the processing pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation, and there is no other legal basis for the processing;
   c) the data subject objects to the processing pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
   d) the personal data have been processed unlawfully;
   e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
   f) the personal data were collected in connection with the offering of information society services referred to in Article 8(1) of the Regulation.
2. Where the controller has made the personal data public and is obliged to erase them pursuant to point 1 above, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested erasure by them of links to the personal data or of any copy or replication of those personal data.
3. Points 1 and 2 shall not apply where processing is necessary:
   a) for the exercise of the right to freedom of expression and information;
   b) for compliance with an obligation to process personal data to which the Controller is subject under Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
   c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the Regulation;
   d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in point 1 would likely render impossible or seriously jeopardise such processing; or
   e) for the establishment, exercise or defence of legal claims. (Article 17 of the Regulation)

Right to restriction of processing

1. The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
   a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data;
   b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
   c) the Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
   d) the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller override those of the data subject.
2. Where processing is restricted pursuant to point 1, such personal data may, with the exception of storage, only be processed with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the Union or of a Member State.
3. The Controller shall inform the data subject at whose request the processing has been restricted pursuant to point 1 in advance of the lifting of the restriction on processing.(Article 18 of the Regulation)

Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:
   a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation, or on a contract pursuant to point (b) of Article 6(1); and
   b) the processing is carried out by automated means.
2. In exercising the right to data portability pursuant to point 1, the data subject shall have the right to request the direct transmission of the personal data between controllers, where technically feasible.
3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
4. The right referred to in point 1 shall not adversely affect the rights and freedoms of others. (Article 20 of the Regulation)

Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (e) of Article 6(1) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller) or point (f) of Article 6(1) of the Regulation (processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party), including profiling based on those provisions. In this case, the Data Controller shall not process the personal data any further, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where it is related to such direct marketing.
3. Where the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. The right referred to in points 1 and 2 shall be expressly brought to the attention of the data subject at the latest when the data subject is first contacted and the information shall be displayed clearly and separately from any other information.
5. In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise the right to object by automated means based on technical specifications.
6. Where personal data are processed for scientific and historical research purposes or for statistical purposes in accordance with Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. (Article 21 of the Regulation)

Automated decision-making in individual cases, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Point 1 shall not apply where the decision:
   a) is necessary for entering into, or the performance of, a contract between the data subject and the controller;
   b) is permitted by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
   c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of point 2, the controller shall implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, including at least the right for the data subject to obtain human intervention on the part of the controller, to express his or her point of view and to object to the decision.
4. The decisions referred to in point 2 shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies and suitable measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject. (Article 22 of the Regulation)

Restrictions

1. The DataUnion or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the scope of the rights and obligations set out in Article 5 in respect of the provisions of Articles 12 to 22 and Article 34 of the Regulation and in accordance with the rights and obligations set out in Articles 12 to 22, where the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
   a) national security;
   b) national defence;
   c) public security;
   d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
   (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
   (f) the protection of the independence of the judiciary and the course of justice;
   (g) in the case of regulated professions, the prevention, investigation, detection and prosecution of ethical misconduct;
   (h) in the cases referred to in points (a) to (e) and (g), the carrying out of inspections, inspections or regulatory activities connected with the exercise of official authority, even occasionally;
   (i) the protection of the data subject or the rights and freedoms of others;
   (j) the exercise of civil law claims.
2. The legislative measures referred to in point 1 shall, where appropriate, contain detailed provisions on at least:
   a) the purposes of the processing or the categories of processing,
   b) the categories of personal data,
   c) the scope of the restrictions imposed,
   d) the safeguards against misuse or unauthorised access or transfer,
   e) the definition of the controller or categories of controllers,
   f) the period of data storage and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing,
   g) the risks to the rights and freedoms of data subjects, and
   h) the right of data subjects to be informed of the restriction, unless this would adversely affect the purpose of the restriction. (Article 23 of the Regulation)

Information of the data subject about the personal data breach

1. Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject about the personal data breach without undue delay.
2. The information provided to the data subject referred to in point 1 shall describe in a clear and intelligible manner the nature of the personal data breach and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.
3. The data subject shall not be required to be informed as referred to in point 1 if any of the following conditions are met:
   a) the controller has implemented appropriate technical and organisational protection measures and those measures have been applied to the personal data affected by the personal data breach, in particular measures such as encryption which render the personal data unintelligible to persons not authorised to access the personal data;
   b) the Controller has taken further measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in point 1 is unlikely to materialise;
   c) providing information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken to ensure that the data subjects are informed in an equally effective manner.
4. If the Controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to result in a high risk, order the data subject to be informed or determine that one of the conditions referred to in point 3 is met. (Article 34 of the Regulation)

Right to lodge a complaint with a supervisory authority

1. Without prejudice to other administrative or judicial remedies, each data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes this Regulation.
2. The supervisory authority to which the complaint has been lodged shall inform the data subject of the progress of the procedure relating to the complaint and of its outcome, including the right to a judicial remedy under Article 78 of the Regulation. (ReArticle 77 of the Regulation)

Right to an effective judicial remedy against a supervisory authority

1. Without prejudice to other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.
2. Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy where the supervisory authority competent under Article 55 or 56 of the Regulation does not deal with the complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged under Article 77.
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
4. Where proceedings are brought against a decision of the supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall be obliged to forward that opinion or decision to the court. (Article 78 of the Regulation)

Right to an effective judicial remedy against the controller or processor

1. Without prejudice to any administrative or non-judicial remedy available to it, including the right to lodge a complaint with the supervisory authority in accordance with Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of personal data concerning him or her not being in accordance with this Regulation.
2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State of the habitual residence of the data subject, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. (Article 79 of the Regulation)

CHAPTER VIII: SUBMISSION OF THE DATA SUBJECT’S REQUEST, MEASURES OF THE DATA CONTROLLER

1. The Controller shall inform the data subject without undue delay and in any event not later than one month from the date of receipt of the request of the data subject of the measures taken in response to the request to exercise his or her rights.
2. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The Controller shall inform the data subject of the extension of the period, stating the reasons for the delay, within one month from the date of receipt of the request.
3. If the data subject has submitted the request electronically, the information shall be provided electronically, unless the data subject otherwise requests.
4. If the Data Controller does not take action on the data subject’s request, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for not taking action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right to a judicial remedy.
5. The Data Controller shall provide the information pursuant to Articles 13 and 14 of the Regulation and information on the data subject’s rights (Articles 15-22 and 34 of the Regulation) and the action free of charge. If the data subject’s request is clearly unfounded or, in particular due to its repetitive nature, excessive, the Data Controller may, taking into account the administrative costs involved in providing the requested information or communication or taking the requested action:
   a) charge a fee of 6,350 HUF, or
   b) refuse to take action based on the request.
   The Data Controller shall bear the burden of proving that the request is clearly unfounded or excessive.
6. If the Data Controller has reasonable doubts regarding the identity of the natural person submitting the request, it may request the provision of additional information necessary to confirm the identity of the data subject.

Laser-Derm Kft, 2018.05.25.