ffective from 08 June 2016 until revoked.

Data Controller Details:

Company name: Krisztíz Partner Kft.
Registered address: 2091 Etyek, Deák Ferenc u. 48
Tax number: 23150663-2-07
Company registration number: 07-09-019895
Representative: Mária Krisztina Szikra, Managing Director
Email: info@karrierfitnesz.hu

 

Purpose of the Privacy Policy

The Data Controller acknowledges the content of this legal notice as binding upon itself.
The purpose of this Privacy Policy is to inform its clients, partners and customers about how their personal data is handled. The Data Controller processes personal data exclusively in accordance with the applicable legal regulations and in full compliance with data processing and data protection requirements. It adheres strictly to the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy and storage limitation.

The Data Controller takes all necessary technical and organizational measures to ensure that the personal data of its partners is processed securely and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). In line with the above, the Data Controller has structured its daily operations, policies, records, templates and notices accordingly.

The data protection principles related to its data processing activities are continuously available at the Data Controller’s registered office and on its website.
The Data Controller reserves the right to amend this notice at any time, and will inform its audience of any changes in a timely manner.

The Data Controller is committed to protecting the personal data of its partners and clients, and considers the right to informational self-determination of its customers to be of paramount importance.
Personal data is treated confidentially, and all necessary security, technical and organizational measures are taken to ensure the protection of the data. Below, the Data Controller provides details of its data processing practices.

Scope of the Privacy Policy – Personal, Material and Temporal

The personal scope of this Privacy Policy extends to the Data Controller, as well as to all natural persons whose data is subject to processing under this Policy, and to any persons whose rights or legitimate interests may be affected by such data processing.

The material scope of this Policy covers all data processing activities carried out in the course of the Data Controller’s operations.

This Policy enters into force on the date of its approval and shall remain effective for an indefinite period, until further notice.

Key Definitions

Personal data: any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data: all data falling under the special categories of personal data, including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

Data processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Joint controllers: where two or more controllers jointly determine the purposes and means of processing, they are considered joint controllers.

Third party: a natural or legal person, public authority, agency or other body other than the data subject, the data controller, the data processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Data subject’s consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Personal data breach: a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

Lawful Data Processing by the Data Controller

The Data Controller processes personal data only in the following cases:

– the data subject has given consent to the processing of their personal data for one or more specific purposes
– the processing is necessary for the performance of a contract to which the data subject is a party
– the processing is necessary for compliance with a legal obligation to which the Data Controller is subject
– the processing is necessary to protect the vital interests of the data subject or another natural person
– the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party

The lawfulness of data processing is assessed at every stage of the Data Controller’s operations. Personal data is only processed if its purpose and legal basis can be clearly justified. If a legal basis ceases to exist, data processing may only continue if the Data Controller can provide a valid alternative legal basis.

As a general rule, the existence of a valid legal basis must be proven in writing. Even in cases based on implied conduct, it must be assessable whether the legal basis can be clearly demonstrated afterwards. In case of doubt, written confirmation is recommended, taking into account reasonable and economic considerations.

In the case of consent-based data processing, the data subject must give written consent to the processing of their personal data. While no formal requirements apply to the format, the ability to prove consent later requires a written statement, either on paper or in electronic form.

Where data processing is based on compliance with a legal obligation, it does not depend on the data subject’s consent, as the legal basis is defined by law.

Even in cases where processing is mandatory, the data subject must be informed before the processing begins that the processing is required and cannot be avoided. In addition, the data subject must be clearly and thoroughly informed of all significant facts relating to the processing of their personal data before it starts.

According to the GDPR (General Data Protection Regulation), the processing of personal data is also lawful if it is necessary for the performance of a contract to which the data subject is a party, or if processing is required in order to take steps at the request of the data subject prior to entering into a contract.
Based on this legal ground, the Data Controller may process personal data for the purposes of concluding, performing, or terminating a contract.

Processing of Personal Data at the Data Controller

The Data Controller provides training and educational activities, as well as coaching services to clients. In addition, the company engages in commercial activities. These activities involve the processing of personal data belonging to natural persons. The following data processing practices apply:

Applications for services provided by the Data Controller can be submitted via email, telephone, social media platforms, or the application form available on the website. During the application process, the Data Controller requests the client’s name, phone number, and email address.
These personal data are processed in order to schedule an appointment and ensure further contact in case of any changes.
The legal basis for processing this data is the establishment of a contract (Article 6 (1) (b) of the General Data Protection Regulation).
If the individual does not make use of the scheduled appointment, the Data Controller will delete their personal data without delay, but no later than within 3 working days.
If the service is used, the legal basis for processing the personal data is the performance of contractual obligations (Article 6 (1) (b) of the GDPR).

The Data Controller issues an invoice for the services provided, which may include the client’s name, address, and—if applicable—tax number.
The legal basis for this data processing is the fulfilment of a legal obligation (Article 6 (1) (c) of the GDPR).
Personal data included on the invoice are stored for 8 years in compliance with the retention requirements set out in Section 169 of the Accounting Act.

In certain activities, the Data Controller may engage with both natural and legal persons as clients.
The establishment of a contractual relationship is typically preceded by a request for quotation, which may be submitted by phone, email, or through social media platforms.
In such cases, the requester provides their name, phone number, and email address, to which the Data Controller sends the relevant offer.

If the offer is declined, the personal data of the requester is deleted without delay, but no later than within 3 working days.
The legal basis for processing this data is the intention to establish a contract (Article 6 (1) (b) of the General Data Protection Regulation).

If the offer is accepted and the individual wishes to proceed with the service, a contractual relationship is formed between the parties.
Following this, the Data Controller may receive additional personal data from private individuals (partners and contact persons).
In such cases, the legal basis for data processing is the performance of contractual obligations (Article 6 (1) (b) of the GDPR).
In the case of a contact person acting on behalf of a legal entity, the legal basis is the individual’s consent (Article 6 (1) (a) of the GDPR).

The Data Controller issues an invoice for the services provided.
This invoice includes the client’s name, address, and, where applicable, tax number.
Issuing the invoice is a legal obligation of the Data Controller.
Therefore, the legal basis for processing personal data listed on the invoice is the fulfilment of a legal obligation (Article 6 (1) (c) of the GDPR).
These personal data are stored for 8 years in accordance with the retention requirements of Section 169 of the Accounting Act.

In the course of its activities, the data controller may become aware of special categories of personal data related to the data subject’s health condition. These types of data are, by their nature, particularly sensitive and require specific protection, as their processing may pose a significant risk to fundamental rights and freedoms depending on the circumstances.

The data controller uses such special data solely for the purpose of applying the most appropriate method in its professional practice and to support the success of the coaching process. Special data is stored only for as long as the data subject is receiving services. Thereafter, such data is immediately destroyed — no later than three working days after the service has ended.

The processing of special data by the data controller is based on Article 9(2)(a) of the General Data Protection Regulation (GDPR), as the data subject provides their explicit, written, and informed consent at the time of registration or the first session.

The legal basis for processing such special data also includes the performance of contractual obligations, in accordance with Article 6(1)(b) of the GDPR, as processing health-related data is necessary to provide the professional service at an appropriate standard.

The data controller also organizes trainings, courses, workshops, and conferences. Registration for the programs can be done via telephone, email, social media platforms, using the registration form available on the data controller’s website, or by making a purchase on the website. During registration, the data controller requests the data subject’s name, address, email address, and phone number. The purpose of data processing is to register for the event, ensure the possibility of maintaining contact with the data subject, and to organize the program. The legal basis for processing personal data is the fulfillment of contractual obligations (General Data Protection Regulation Article 6(1)(b)).
The data controller issues an invoice to the participant for the amount of the participation fee. The invoice contains the client’s name, address, and possibly tax number. The legal basis for processing personal data is the fulfillment of a legal obligation (General Data Protection Regulation Article 6(1)(c)).
The personal data on the invoice are stored by the data controller for 8 years in accordance with the retention obligation set out in Section 169 of the Accounting Act.

Regarding the sale of products, the data controller accepts orders via its website, and registration for the announced trainings and courses is also possible there. Buyers/applicants can be natural persons or legal entities. In the case of registration or purchase, the data subject provides their personal data (name, address, email address, phone number) to the data controller. The legal basis for processing personal data is the fulfillment of contractual obligations (General Data Protection Regulation Article 6(1)(b)).
The data controller issues an invoice to the buyer/participant for the purchased service or product. The invoice contains the buyer’s/participant’s name, address, and possibly tax number. Issuing the invoice is a legal obligation of the data controller. Therefore, the legal basis for processing the personal data on the invoice is the fulfillment of a legal obligation (General Data Protection Regulation Article 6(1)(c)).
The personal data on the invoice are stored by the data controller for 8 years in accordance with the retention obligation set out in Section 169 of the Accounting Act.

In the course of performing its duties, the data controller processes the email addresses and phone numbers of its partners and clients, either for the purpose of fulfilling contractual obligations (Article 6(1)(b) of the General Data Protection Regulation), or based on their individual consent (Article 6(1)(a) of the General Data Protection Regulation).

The data controller may also be in contractual relationships with subcontractors, suppliers, and service providers during its work, which also provides a basis for the processing of personal data. In such cases, the legal basis for processing personal data (in the case of a natural person or sole proprietor) is the performance of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation), and in the case of the contact person of a legal entity, the express, prior, and informed consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).

The data controller primarily presents its activities, services, and products on its own website (). The website uses cookies during operation, which also collect personal data from visitors. The legal basis for this data processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).

The data controller also presents its cooperating partners on its website. The introduction may contain the data subject’s personal data (e.g., name, image). Such personal data will only be used or published if the data subject has given prior written consent based on proper information (Article 6(1)(a) of the General Data Protection Regulation).

For the purpose of presenting its activities, services, and products, and for marketing purposes, the data controller also operates social media pages. Personal data of followers may also be processed on these platforms. The legal basis for this data processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).

In the course of complaint handling related to its activities, the purpose of data processing is to allow the submission of complaints, to identify the complainant and the complaint, to record the legally required data, and to investigate the complaint and maintain related communication.

In case a complaint is submitted, the processing of personal data is mandatory based on Act CLV of 1997 on Consumer Protection. Accordingly, the legal basis for processing personal data is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

The following service providers qualify as data processors used by the data controller in the course of providing online services:

Zoom Video Communications, Inc.
55 Almaden Boulevard, 6th Floor, San Jose, CA 95113
info@zoom.us

In the case of cloud-based online data storage, the service provider also qualifies as a data processor:

Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland

Owner of the YouTube social video-sharing platform:

Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland

The data controller also transfers personal data of its clients to the National Tax and Customs Administration of Hungary (NAV).

The contracted data processors and data controller partners process the personal data of clients exclusively based on the instructions of the data controller (except when required by law) and are bound by confidentiality obligations.

Data processing related to contracts concluded by the data controller

Client Contracts

Services provided by the data controller can be requested via email, phone, social media, or through the registration form available on the website. During registration, the data controller requests the client’s name, phone number, and email address. These personal data are processed to assign a suitable appointment to the client and to ensure contact in case of appointment rescheduling. The legal basis for processing such personal data is the creation of a contract (Article 6(1)(b) of the General Data Protection Regulation).

If the data subject ultimately does not use the service at the scheduled time, the data controller deletes the personal data without delay, but no later than within 3 working days.

During the provision of the service, the legal basis for processing personal data is the fulfillment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation).

The data controller issues an invoice for the services provided, which includes the client’s name, address, and, where applicable, tax number. The legal basis for processing these personal data is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The personal data on the invoice are stored by the data controller for 8 years, in accordance with the retention obligation set out in Section 169 of the Accounting Act.

The data controller also organizes workshops and conferences. Registration for these programs can be done via phone, email, messages through social media, the registration form available on the data controller’s website, or by purchasing access through the website. During registration, the data controller requests the participant’s name, address, email address, and phone number. The purpose of data processing is to complete the event registration, ensure communication with the participant, and organize the program. The legal basis for processing personal data is the fulfillment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation).

The data controller issues an invoice for the participation fee, which includes the participant’s name, address, and, where applicable, tax number. The legal basis for processing these personal data is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The data on the invoice are stored for 8 years in accordance with the retention obligation set out in Section 169 of the Accounting Act.

Supplier Contracts

The data controller may also process the contact details of suppliers (name, email address, phone number) and may have business relationships with service providers or subcontractors. In such cases, personal data of contact persons or individuals acting as sole proprietors may be processed for communication purposes. The legal basis for processing personal data is the fulfillment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation), or the contact person’s consent (Article 6(1)(a) of the General Data Protection Regulation).

The data controller requests contact persons of partner companies to fill out a consent statement, in which they are informed of their rights regarding personal data and asked to give their consent for data processing. In such cases, the legal basis for processing personal data is the data subject’s explicit, written consent based on adequate prior information (General Data Protection Regulation Article 6 (1) a)). If the contract with the partner has ended and there is no statutory retention obligation regarding the data or documents, phone numbers and email addresses are deleted. Personal data appearing in contracts and invoices is stored by the data controller for 8 years, in compliance with the retention obligation set out in Section 169 of the Accounting Act.

Handling of Personal Data on Invoices Issued to Clients

The data controller issues invoices for the services provided and products sold. The invoice contains the client’s name, address, and possibly tax number. Issuing an invoice is a legal obligation of the data controller. Therefore, the legal basis for processing personal data on the invoice is the fulfillment of a legal obligation (General Data Protection Regulation Article 6 (1) c)). The data controller stores the personal data on the invoice for 8 years, in compliance with the retention obligation set out in Section 169 of the Accounting Act. If the data controller provides adult education services, documents related to the training — including invoices — are retained for 8 years, in accordance with the relevant provisions of the Adult Education Act.

Procedure for retaining email addresses and telephone numbers

In the course of its activities, the data controller becomes aware of the email addresses and telephone numbers of its partners, clients, and customers. Personal data that enters the system in this way is primarily processed in order to fulfill contractual obligations (General Data Protection Regulation Article 6 (1) point b)). If the contract with the partner is terminated and there is no statutory obligation to retain the data or documents, the telephone numbers and email addresses are deleted. In some cases, the data controller continues to have a legitimate interest in retaining the data; in such cases, the data subject’s explicit and written consent is requested for the retention of their personal data (General Data Protection Regulation Article 6 (1) point a)).

The data controller’s website

The data controller presents its activities and services on its website (www.karrierfitnesz.hu).

During the operation of the website, cookies are used, which also collect personal data from visitors. The legal basis for data processing is the consent of the data subject (General Data Protection Regulation Article 6 (1) point a)).

Personal data processing during registration for mental training and coaching on the website:

Processing of personal data through the use of the contact form

On the website, visitors have the option to contact the data controller using a contact form. The form requires the visitor’s name and email address. The purpose of processing personal data is to establish contact with the website visitor and with the person interested in the data controller’s services or products. If no service or product is ordered following the contact, the personal data of the interested party will be deleted immediately, but no later than within 3 working days. The data controller processes the personal data for the purpose of entering into a contract, with this being the legal basis (General Data Protection Regulation Article 6 (1) point b)). By completing the form, the data subject declares that they have read the Data Protection Notice of the data controller and acknowledge its contents.

Processing of personal data during the presentation of cooperating partners on the website

The data controller also presents its cooperating partners on the website. The introduction includes the personal data of the data subject (e.g. name, likeness). These personal data are used and published only if the data subject has given their prior written consent based on proper information (General Data Protection Regulation Article 6 (1) point a)). The data controller processes the personal data until the data subject withdraws their consent.

The data controller’s social media pages

The data controller also operates a Facebook page, where personal data is also processed. On its Facebook page, the data controller promotes its activities. This page is used by the data controller for marketing purposes.

The data controller also provides comprehensive personal support through Facebook. If you send a question via Facebook, the data controller will try to respond as soon as possible. The data obtained through the Facebook page is used solely to answer your question and not for further advertising purposes.

The purpose of using the Facebook page is advertising through social media and sharing information. Facebook may also use the data for its own purposes, including profiling the data subject and targeting them with advertisements.

In order to contact the data controller via Facebook, you must log in. For this, Facebook may also request, store, and process personal data. The data controller has no influence over the type, scope, or processing of these data and does not receive any personal data from Facebook’s operator. Further information can be found on Facebook’s website.

The data controller processes the personal data of followers on its Facebook page based on their consent (General Data Protection Regulation Article 6 (1) point a)); consent is considered given when the individual likes or follows the page or its posts, or writes a comment.

Processing of personal data through the use of cloud-based applications

The data controller primarily uses cloud-based services for storing, sharing, and backing up documents. A common feature of such services is that they are not provided by the user’s computer but by a remote server located in a data center anywhere in the world. Online storage services also fall under this category. The major advantage of cloud applications is that they provide highly secure, flexibly scalable IT storage and processing capacity, essentially independent of geographic location.

In these cases, the cloud service provider is considered a data processor, who processes personal data on behalf of the data controller. Cloud service providers are obliged to handle personal data confidentially and may only perform data processing based on the instructions of the data controller.

The data controller selects its cloud service partners with the utmost care and takes all generally expected measures to conclude contracts that also consider the data security interests of its clients, partners, and customers. The data controller ensures the transparency of their data processing principles and regularly monitors data security.

Cloud-based storage is password-protected, and the data stored there is accessible exclusively to the data controller.

By accepting this Privacy Policy, the data controller’s partners explicitly consent to the data transfer necessary for using cloud-based applications.

Handling of complaints related to the activities of the data controller

The purpose of data processing during the handling of complaints related to the activities of the data controller is to enable the submission of complaints, identify the data subject and the complaint, record the data that must be registered by law, and maintain communication related to the investigation and resolution of the complaint.

In the case of a submitted complaint, the processing of personal data – based on Act CLV of 1997 on Consumer Protection – is mandatory. Accordingly, the legal basis for the processing of personal data is the fulfillment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation).

The data controller retains the record of the complaint and a copy of the response for 5 years, and personal data is processed for this period accordingly.

Data Security

The data controller undertakes to ensure the security of the data and takes the necessary technical and organizational measures, maintaining the procedural rules that guarantee the protection of the recorded, stored, and processed data, and prevent their destruction, unauthorized use, or unauthorized modification. The data controller also undertakes to call upon any third party to whom the data is transferred or handed over to comply with data security requirements.

The data controller ensures that unauthorized persons cannot access, disclose, transmit, modify, or delete the processed data. The processed data may only be accessed by the data controller and the data processor(s) it uses; they are not disclosed to third parties who are not authorized to access the data.

The data controller pays special attention to the security of the personal data of its partners, clients, and customers. It acts in full compliance with legal regulations and requires the same from all its partners. The protection of personal data includes both physical security (e.g., storing documents in a lockable room and cabinet protected by an alarm system) and IT security.

The data controller stores the personal data provided by the data subject primarily on the servers of the data processor(s) specified in this Privacy Notice, which are equipped with standard security systems, partly on its own IT equipment, and, in the case of paper-based data, at its registered office, stored securely.

Data subjects acknowledge and accept that full protection of their personal data cannot be guaranteed on the internet or in computer systems. In the event of unauthorized access or data breach — despite the data controller’s efforts — actions must be taken as outlined in this Privacy Notice.

Rights of the data subjects regarding data processing

Transparent information

This Privacy Notice also serves the purpose of providing clear, concise, transparent, and understandable information about the data processing activities carried out by the data controller.

Right of access

The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information:

the purpose of the processing

the categories of personal data concerned

the recipients to whom the personal data has been or will be disclosed

the envisaged period for which the personal data will be stored

You may request information about the above data from the data controller via the following email address:

Krisztíz Partner Kft.

Email: info@karrierfitnesz.hu

The data controller hereby informs you that your request will be answered within 30 days.

Right to restriction of processing

The data subject has the right to obtain from the data controller restriction of processing, especially when:

they contest the accuracy of the personal data

they consider the processing unlawful, but for some reason do not request erasure

You may request information about the above data from the data controller via the following address:
Krisztíz Partner Kft.
Email: info@karrierfitnesz.hu

The data controller hereby informs you that your request will be answered within 30 days.

Right to data portability

The data subject has the right to receive the personal data concerning them in a structured, commonly used, machine-readable format and has the right to transmit those data to another controller.

Right to object

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data, in accordance with Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

You may request information about the above data from the data controller via the following address:
Krisztíz Partner Kft.
Email: info@karrierfitnesz.hu

The data controller hereby informs you that your request will be answered within 30 days.

Data Protection Incident

A data protection incident is considered to be a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that has been transmitted, stored, or otherwise processed.

In the case of a data protection incident, the breach of data security must pose a serious risk, meaning that the breach must be of such a level that it involves:

the destruction of personal data,

the loss of personal data,

the alteration of personal data,

the unauthorized disclosure of personal data, or

the unauthorized access to personal data.

An incident is deemed to have occurred if any of the above situations take place, but this does not exclude the possibility of multiple points occurring simultaneously. Not only intentional, malicious behaviors fall into this category, but also breaches caused by negligence. Therefore, an incident occurs when it is caused by an accidental or unlawful act.

Examples of data protection incidents include:

illegal transmission of personal data via documents, portable devices, data carriers or IT systems (e.g. email),

unauthorized access to an IT system or application handling personal data,

damage to or loss of part or all of a database containing personal data,

part or all of an IT system becoming unusable due to a virus or other malicious software, etc.

here is no need to report to the supervisory authority any incident that is not likely to result in a risk to the rights and freedoms of natural persons.

If a data protection incident is likely to result in a high risk to the rights and freedoms of the data controller’s partners or clients, the affected partner must be informed without delay. The information provided to the data subject must clearly and plainly describe the nature of the data protection incident and include the most important facts and measures.

The data subject does not need to be informed as described above if any of the following conditions are met: the data controller has implemented appropriate technical and organizational protection measures and those measures were applied to the data affected by the data protection incident, especially measures that make the data unintelligible to unauthorized persons; the data controller has taken further measures following the data protection incident which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize; or providing the information would require disproportionate effort. In such cases, the data subjects must be informed through publicly available information or by taking a similar measure that ensures equally effective communication.

Information on the Most Relevant Legislation

• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);

• Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (Info Act);

• Act V of 2013 – on the Civil Code;

• Act LXXVII of 2013 – on Adult Education;

• Act C of 2014 – on Accounting.

Other Provisions

The data controller provides information about any data processing activities not listed in this notice at the time the data is collected. In such cases, the applicable legal regulations are considered authoritative.

The data controller hereby informs its clients that courts, public prosecutors, investigating authorities, administrative authorities, misdemeanor authorities, the National Authority for Data Protection and Freedom of Information, the Central Bank of Hungary, and other bodies authorized by law may contact the data controller for the purpose of requesting information, disclosure of data, transfer of data, or provision of documents. The data controller will release personal data to these authorities only to the extent strictly necessary for fulfilling the purpose of the request, provided that the authority clearly specifies the purpose and the scope of the requested data.

The website of the National Authority for Data Protection and Freedom of Information contains further information on the data protection rights referenced in this Privacy Notice.

Budapest, 8 June 2016

Mária Krisztina Szikra
Managing Director