PRIVACY AND DATA MANAGEMENT POLICY
Introductory Provisions
The purpose of this Privacy and Data Management Policy (hereinafter: Policy) is to provide comprehensive information to data subjects regarding the management, use, and transfer of stored data by Mobilwood Kft. (hereinafter: Company) (headquarters: 9 Kamilla St., Telki, 2089; email address: hello@no1barber.hu, tax number: 14067396-2-13, hereinafter: Data Controller) in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR) and Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (Infotv.).
Based on the provisions of the Regulation:
- The Data Controller must possess an appropriate legal basis for any data processing activity and must “be able” to verify this legal basis.
In addition to the register of data processing activities, an inventory must be prepared to monitor the legality of the organization’s data processing activities.
- The Data Controller shall take the necessary and appropriate measures to ensure the security of personal data (including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage).
- Through this Policy, the Data Controller provides the necessary legal information to data subjects regarding its data processing activities (purpose, legal basis, duration, scope of recipients, etc.) and the rights of the data subject.
What is meant by data processing?
“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (Article 4(2))
What is meant by data processor?
“Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Article 4(8))
Basic Principles
Article 5 of the Regulation contains the principles relating to the processing of personal data.
These are: a) lawfulness, fairness and transparency; b) purpose limitation; c) data minimization; d) accuracy; e) storage limitation; f) integrity and confidentiality.
Article 5(2) contains the principle of accountability, which means that the Data Controller is responsible for compliance with the aforementioned principles and must be able to demonstrate such compliance.
The principle of integrity and confidentiality outlines the data security tasks for those falling under the scope of the regulation: “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Data processing may only take place if the data subject gives their voluntary, specific, informed, and unambiguous consent through a clear affirmative action—such as a written (including electronic) or oral statement—to the processing of personal data concerning them, or if there is another lawful basis established by law.
Consent is not considered voluntary if it does not allow for separate consent for different personal data processing operations, even though it is appropriate in the given case, or if the performance of a contract (e.g., service contract) is made conditional upon consent, despite the consent not being necessary for the performance of that contract.
If the Data Controller commissions a processor to carry out data processing activities, it shall only use processors providing sufficient guarantees—especially in terms of expertise, reliability, and resources—to implement technical and organizational measures that meet the requirements of the Regulation, including the security of processing.
The Data Controller shall maintain a record of processing activities carried out under its responsibility.
Definitions
data set: the totality of data managed within a single filing system,
data processing: the execution of technical tasks related to data management operations, regardless of the method and tools used to perform the operations or the place of application,
data processor: a natural or legal person, or an organization without legal personality, who processes personal data on behalf of the data controller, including mandates based on legal provisions,
data management: any operation or set of operations performed on personal data, regardless of the procedure used, such as collection, recording, organization, storage, modification, use, transmission, disclosure, alignment or combination, blocking, deletion, and destruction, as well as preventing further use of the data. Taking photographs, audio, or video recordings, and recording physical characteristics suitable for personal identification (e.g., fingerprints, palm prints, DNA samples, iris scans) also qualify as data management,
data controller: a natural or legal person, or an organization without legal personality, who determines the purposes of data management, makes and executes decisions regarding data management (including the tools used), or has them executed by a commissioned processor;
data destruction: the complete physical destruction of the data or the data carrier containing it,
data transfer: making the data accessible to a specific third party,
data deletion: making data unrecognizable in such a way that its restoration is no longer possible,
data blocking: making the transfer, access, disclosure, transformation, modification, destruction, deletion, combination, or use of data impossible, either permanently or for a specified period,
third party: a natural or legal person, or an organization without legal personality, who is not identical to the data subject, the data controller, or the data processor.
consent: a voluntary and firm expression of the data subject’s wish, based on adequate information, by which they give their unmistakable agreement to the processing of personal data relating to them—either in full or for specific operations,
special data: data relating to racial origin, membership of a national or ethnic minority, political opinion or party affiliation, religious or other worldviews, trade union membership, health status, pathological addiction, sexual life, and criminal personal data,
disclosure: making the data accessible to anyone,
registration: providing the identification data necessary and sufficient for identification to the data controller,
personal data: any information relating to an identified or identifiable natural person (hereinafter: Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, or one or more factors specific to the physical, physiological, mental, economic, cultural, or social identity of that natural person;
personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
objection: a statement by the data subject objecting to the processing of their personal data and requesting the termination of data management or the deletion of the processed data.
Areas of Activities Involving Data Management
Work areas where personal data is managed, as well as the purpose that makes data management necessary. Such an area is, for example, the management of business partners’ data, during which personal data of natural persons necessarily comes into the possession of the Data Controller.
Activity involving data management also includes performing tasks related to the employment relationships of employees, during which almost exclusively personal data is provided to the Data Controller.
Depending on the company’s scope of activity, additional areas may be classified as involving the management of personal data.
Data management is lawful if it is necessary within the framework of a contract or the intention to conclude a contract.
The legitimate interest of the Data Controller—including the controller with whom the personal data may be shared—or a third party may create a legal basis for data management, provided that the interests or fundamental rights and freedoms of the data subject do not prevail, taking into account the reasonable expectations of the data subject based on their relationship with the Data Controller. Such a legitimate interest exists, for example, when there is a relevant and appropriate relationship between the data subject and the Data Controller, such as when the data subject is a client of the Data Controller or in its employment.
The processing of personal data strictly necessary for the purpose of fraud prevention also constitutes a legitimate interest of the Data Controller.
The processing of personal data for direct marketing purposes may also be considered to be based on legitimate interest. If personal data is processed for direct marketing, the data subject must be guaranteed the right to object at any time, free of charge, to the processing of personal data concerning them for such purposes—original or further—including profiling if it is related to direct marketing. The data subject’s attention must be explicitly drawn to this right, and this information must be displayed clearly and separately from any other information.
Legal Basis for Data Management
The processing of personal data is lawful only if and to the extent that it has one of the legal bases specified in the Regulation, which may be the following:
– the data subject has given consent to the processing of his or her personal data for one or more specific purposes,
– processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
– processing is necessary for compliance with a legal obligation to which the controller is subject,
– processing is necessary in order to protect the vital interests of the data subject or of another natural person,
– processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
– processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Rules of Data Management
The processing of personal data must be carried out lawfully, fairly, and in a transparent manner for the data subject. Personal data may only be collected for specified, explicit, and legitimate purposes and must be managed in a manner compatible with those purposes.
If the data management is based on consent, the consent of the data subject is required for the data management.
The consent must be voluntary and explicit, based on detailed prior information. Information intended for the public may be communicated through a website.
Separate consents are required for different data management purposes.
The processing of personal data for purposes other than the original purpose of collection is only permitted if the processing is compatible with the original purposes for which the personal data were originally collected. To determine whether the purpose of further processing is compatible with the original purpose, the Data Controller—after fulfilling all requirements for the lawfulness of the original processing—shall consider, among other things, any link between the original and intended further purposes, the circumstances of collection (including the data subject’s reasonable expectations based on their relationship with the controller), the nature of the personal data, the consequences of the intended further processing for the data subjects, and the existence of appropriate safeguards in both original and intended further operations. In all cases, the principles set out in the Regulation must be ensured, particularly the provision of information to the data subject about these other purposes and their rights, including the right to object.
Personal data must be adequate and relevant to the purposes of the data management and limited to the necessary information; furthermore, it must be accurate and, where necessary, kept up to date; inaccurate personal data must be rectified or deleted.
If the personal data processed by the Data Controller does not allow the Data Controller to identify a natural person, the Data Controller cannot be obliged to obtain additional information to identify the data subject in order to comply with a provision of this regulation. At the same time, the Data Controller may not refuse additional information provided by the data subject to support the exercise of their rights.
Data storage must occur in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Appropriate technical or organizational measures must be applied to ensure the security of personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
The Data Controller is responsible for compliance with the listed requirements and must be able to demonstrate this compliance.
Requesting data or recording data from data subjects may only occur within a scope that is:
– relevant to the Data Controller’s activities,
– required by legal provisions in the case of employees, or
– resulting from an agreement to that effect or the data subject’s unilateral legal declaration in the case of other data providers.
The Data Controller processes the following data of data subjects: name, e-mail address, address, phone number, billing data, order data. Regarding its employees, the Data Controller processes all data relevant from employment, tax, and social security perspectives.
The Data Controller only processes personal data suitable for identifying the data subject. Requesting or recording personal data outside of this scope is prohibited. The Data Controller does not process personal data classified as special data under the Infotv.
During data processing, it is prohibited to perform any operation on personal data that qualifies as profiling or makes the data suitable for profiling.
Among the data processed by the Data Controller, those for which it cannot be established beyond doubt that they are public data provided for business purposes (e-mail address, mobile phone number) must be treated as personal data.
Law may order the disclosure of personal data for reasons of public interest, with the explicit designation of the scope of data.
Upon the termination of the legal basis for data management, the Data Controller shall delete the data subject’s data.
Access to the Filing System
In addition to the data subjects, only persons whose task is essential for the performance of their duties due to their job position or mandate (users) may access the filing system containing personal data. Access to the filing system is authorized by the legal representative of the Company or a person designated in a separately drafted document, who also determines the content and extent of the authorization. Users must make a data protection declaration.
Data Transfer
Personal data may only be transferred based on a legal provision or the data subject’s express written consent; or, under the right to data portability, the data subject may request the Data Controller to transfer their personal data (even directly) to another controller if the processing was based on consent and carried out by automated means. The recipient to whom the data may be transferred must be clearly defined in the consent statement. The consent must be recorded in a private document with full probative force. The same statement from the data subject is required for the disclosure of personal data.
Data Processors
The Data Controller is entitled to enter into written agreements with data processors.
Data processors must ensure that unauthorized persons do not gain access to the personal data they manage. If they notice that persons without authorization can access the filing system, they are obliged to report this to the system operator and simultaneously to the Data Controller.
Employees of data processors must make a confidentiality statement.
The Data Controller determines the rights and obligations of the data processor regarding the processing of personal data. The Data Controller is responsible for the legality of instructions regarding data management operations. Within its scope of activity or the framework determined by the Data Controller, the data processor is responsible for the processing, alteration, deletion, transfer, and disclosure of personal data.
The data processor may not use another processor in the performance of its activities. The data processor may not make substantive decisions regarding data management; it may only process the personal data it becomes aware of according to the Data Controller’s instructions, cannot perform data processing for its own purposes, and is obliged to store and preserve personal data according to the Data Controller’s instructions.
Responsibility for the Enforcement of Data Protection Rules
Persons performing data processing at the Data Controller are subject to employment or civil law liability for compliance with data management rules, depending on their legal relationship. They are obliged to compensate both the data subjects and the Data Controller for damages caused by the culpable violation of the rules.
The data processor must report if it notices a data protection incident or becomes aware of unauthorized access to personal data within its sphere of responsibility. Upon notification, the company manager shall immediately take the necessary measures.
If a data processor or an authorized person culpably violates data protection rules, the Company’s legal representative shall investigate the matter within 8 days of becoming aware of it and take the necessary employer measures within a further 8 days or enforce the possible consequences based on the civil law relationship.
Data protection incidents (breaches of personal data protection) involving high risks to the rights and freedoms of natural persons shall be reported by the data controllers to the competent supervisory authority immediately (within 72 hours) and the data subject shall also be informed. The Data Controller is exempt from the latter only in certain cases (e.g., if the risk is substantially reduced).
Prior to data protection activities likely to involve a higher risk to the protection of personal data, a data protection impact assessment must be carried out.
Rights of Data Subjects
Right to Information
The data subject may request information about the management of their personal data and may request the rectification or—with the exception of data management mandated by law—the deletion of their personal data through any of the Data Controller’s contact details.
Upon request, the Data Controller provides information about the data it manages, the purpose, legal basis, and duration of the management, the name and address (headquarters) of the processor, and its activities related to data management, as well as who and for what purpose received or receives the data.
The Data Controller shall provide the information in writing, in an intelligible form, free of charge, as soon as possible but no later than 25 days from the submission of the request. At the same time, measures must be taken to rectify any personal data that does not correspond to reality.
Right to Rectification
The Data Controller shall delete the personal data if:
– its processing is unlawful,
– the data subject requests it,
– it is incomplete or incorrect—and this state cannot be legally corrected—provided that deletion is not excluded by law,
– the purpose of the data management has ceased, the statutory deadline for storing the data has expired, or
– it has been ordered by a court or the data protection authority.
The Data Controller notifies the data subject and all those to whom the data was previously transferred for data management purposes about the rectification and deletion. Notification may be omitted if this does not violate the legitimate interest of the data subject, considering the purpose of the data management.
Objection
The data subject may object to the processing of their personal data if:
– the processing (transfer) of data is necessary exclusively for the enforcement of the right or legitimate interest of the Data Controller or the data recipient, unless the data management was ordered by law,
– the use or transfer of personal data occurs for direct marketing, public opinion polling, or scientific research purposes,
– the exercise of the right to object is otherwise permitted by law.
The Data Controller—while simultaneously suspending the data management—is obliged to examine the objection within the shortest possible time from the submission of the request, but no later than 15 days, and to inform the requester of the result in writing.
If the objection is justified, the Data Controller is obliged to terminate the data management—including further data collection and transfer—and block the data, as well as notify all those to whom the personal data affected by the objection was previously transferred and who are obliged to take measures to enforce the right to object.
Legal Remedy
In the event of a violation of their rights, the data subject may turn to a court. The court shall handle the case with priority. The Data Controller is obliged to prove that the data management complies with the legal provisions. Jurisdiction for the lawsuit lies with the regional court (törvényszék). The lawsuit may also be initiated—at the data subject’s choice—before the regional court of the data subject’s place of residence or stay.
If the data subject believes that their rights were violated during data management or processing, they may turn to the National Authority for Data Protection and Freedom of Information. The conditions and contact details for the Authority’s procedures can be found at http://www.naih.hu.
Other Rights, Opportunities, and Obligations of Data Subjects
Measures must be ensured to facilitate the exercise of data subjects’ rights, including providing mechanisms by which, among other things, the data subject has the opportunity to request and, where appropriate, receive access to personal data, their rectification and deletion, and exercise the right to object free of charge. Accordingly, the Data Controller also ensures means allowing for the electronic submission of requests if the processing of personal data occurs electronically. The Data Controller shall respond no later than one month, and if the Data Controller does not comply with any request of the data subject, it is obliged to provide justification.
If personal data are collected from the data subject, the data subject must be informed whether they are obliged to provide the personal data and what the consequences of failing to provide the data are. It is the data subject’s obligation to ensure that their personal data is accurate and, where necessary, up to date; consequently, they are subject to an obligation of cooperation, within the framework of which they are obliged to immediately report any changes in their personal data. For the failure to fulfill this obligation, the data subject alone is liable for all resulting consequences and legal consequences.
If the data were not collected from the data subject but from another source, they must be made available within a reasonable period, considering the circumstances of the case.
If the personal data can be lawfully disclosed to another recipient, the data subject must be informed of this at the time of the first disclosure to the recipient.
If the Data Controller intends to process personal data for a purpose other than the original purpose of collection, it must inform the data subject of this different purpose and all other necessary information prior to further processing. If the Data Controller cannot provide information to the data subject about the origin of the personal data because they come from various sources, general information must be provided.
Record of Data Processing Activities
The Regulation prescribes the recording of data processing activities. (Article 30(1)).
The data processor is also obliged to maintain a similar record. (Article 30(2)).
Data Protection Officer
In the case of commissioning a Data Protection Officer, their most important task is to monitor compliance with data protection rules at the Data Controller. (Article 39).
Effective from May 10, 2025
