DATA MANAGEMENT INFORMATION
(hereinafter also referred to as "Information" or "Data Protection Information")
1. Basic provisions
The new data protection regulation No. 2016/679 of the European Union (General Data Protection Regulation, GDPR, hereinafter: "Regulation" or "GDPR") becomes directly applicable in Hungary.Aerial Yoga Hungary- Lara Gulyás and Aerial Sports Academy- Endre Kónya is an individual entrepreneuraccording to the Regulation, it is considered a data controller, i.e. the Regulation Aerial Yoga Hungary- Gulyás Lara and Aerial Sports Academy- It also applies to personal data managed by Endre Kónya, an individual entrepreneur.
1.2 Purpose of the Notice
The purpose of the Information Sheet is to establish Aerial Yoga Hungary-Gulyás Lara and Aerial Sports Academy- Endre Kónya individual entrepreneur (hereinafter referred to as "Data Controller") follows and applies the data protection and data management provisions and principles considered to be applicable to him, Aerial Yoga Hungary- Gulyás Lara and Aerial Sport Academy- Endre Kónya's data protection and data management policy.
When determining the content of the Information, the Data Controller particularly took into account, in addition to the Regulation, CXII of 2011 on the right to informational self-determination and freedom of information. Act ("Infotv"), Act V of 2013 on the Civil Code ("Ptk"), and Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising. also the provisions of the Act ("Grtv.")
Scope of this Data Management Notice awww.aerialyogahungary.hu and www.aerialsportsacademy.com
It covers the website available at (hereinafter: "Website") and data processing related to the Data Controller's commercial activities.
In the absence of information to the contrary, the scope of the Notice does not cover the services and data management that are related to the promotions, sweepstakes, services, other campaigns of third parties appearing on the Website or to the content published by them.
In the absence of information to the contrary, the scope of the Notice does not cover the services and data management of websites and service providers to which links on the Websites lead. The scope of the Notice does not extend to the data processing of the persons (organizations, companies) from whose information, newsletter, or advertisement the Data Subject learned about the Website.
1.5. Modification of the Prospectus
1.5.1. The Data Controller reserves the right to unilaterally modify the Information.
1.5.2. By entering the Website, the Data Subject accepts the provisions of the Information Sheet in force at all times, the Data Subject's further consent is not required unless otherwise provided in the Information Sheet.
2. Concept definitions
The terms appearing in the Data Protection Notice have the following meaning:
2.1. Data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, systematization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or making accessible in any other way by item, coordination or connection, restriction, deletion or destruction.
2.2. Data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others.
2.3. Personal information or data: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.
2.4. Data processor: the natural or legal person, public authority, agency or service provider who processes personal data on behalf of the Data Controller.
2.5. Data subject: the natural person who provides his or her personal data or whose personal data is provided to the Data Controller.
2.6. External service provider: third-party service partners used by the Data Controller or the Website operator, either directly or indirectly, in connection with the provision of individual services, to whom Personal Data is or may be transmitted in order to provide their services, or who provide Personal Data to the Data Controller can be forwarded. External service providers are also those service providers that do not cooperate with the Data Controller or the operators of the services, but by accessing the Website, they collect data about the Data Subjects, which, either independently or combined with other data, may be suitable for identifying the Data Subject. When providing the storage service, the Data Controller also considers the Data Subject as an External service provider in terms of the data management activities carried out on the storage space used by it.
2.7. Information: this data management information of the Data Controller.
3. The person and activities of the data controller
Name: Aerial Yoga Hungary- Gulyás Lara is an individual entrepreneur
activities: 855101- Sports and leisure training
9313302 - Fitness club, gym operation, aerobics
Headquarters: 1074 Budapest Dohány utca 28.
tax number: 68167015-1-43
registration number: 51336208
Data Protection Officer: Gulyás Lara
Title of data protection officer: owner
Name: Aerial Sports Academy - Endre Kónya, sole proprietor
activities: 855101- Sports and leisure training
9313302 - Fitness club, gym operation, aerobics
Headquarters: 1031 Budapest, Torma Károly u 23.
tax number: 76234873-1-42
Data Protection Officer: Gulyás Lara
Position of data protection officer: business manager
The Data Controllers are individual entrepreneurs registered in Hungary.
The Data Controller operates the Website, which isEntrepreneur of Aerial Yoga Hungary and Aerial Sports AcademyIt was created for the purpose of booking and selling tickets for individual and group fitness and yoga classes organized under the name brand.
4. Basic principles of data management
4.1. Legality, fairness
The data must be handled legally and fairly, as well as in a transparent manner for the data subject. The Data Controller only processes the data specified in the legislation or provided by the Data Subjects or their employers/clients/customers, for the purposes defined below. The scope of personal data managed is proportionate to the purpose of data management, and may not extend beyond that.
The data must be necessary and relevant for the purpose of data management, and must also be accurate and, if necessary, up-to-date.
4.3. Bound to a goal
In any case, if the Data Controller intends to use the Personal Data for a purpose other than the purpose of the original data collection, the Data Subject shall be informed of this, and the Data Subject shall be given prior, express consent to do so, and shall be given the opportunity to prohibit the use.
The Data Controller does not check the Personal Data provided to it. The person providing the personal data is solely responsible for the adequacy of the personal data provided.
4.5 Limited storage capacity
It must be stored in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management.
4.6. Protection of data of persons under the age of 16
The personal data of a person under the age of 16 may only be processed with the consent of an adult exercising parental supervision over him. The Data Controller is not in a position to verify the authorization of the consenting person or the content of his statement, so the Data Subject or the person exercising parental supervision over him guarantees that the consent complies with the law. In the absence of a statement of consent, the Data Controller does not collect Personal Data of the affected person under the age of 16.
4.7. The Data Controller does not transfer the Personal data it handles to third parties other than the Data Processors and External Service Providers specified in the Information.
The data must be handled in such a way that adequate security of personal data is ensured by applying appropriate technical and/or organizational measures.
An exception to the provision contained in this point is the use of data in a statistically aggregated form, which may not contain any other data capable of identifying the Data Subject in any form.
In certain cases, the Data Controller may harm the interests of the Data Controller, endanger the provision of the service, etc. - makes available Personal Data of the Data Subject accessible to third parties.
4.8. The Data Controller on the correction, restriction, or will notify the Data Subject of its deletion, as well as all those to whom the Personal Data was previously transmitted for the purpose of Data Management. Notification may be omitted if this does not violate the Data Subject's legitimate interests in view of the purpose of Data Management.
4.9. Based on the Regulation, the Data Controller is not obliged to appoint a data protection officer, as the Data Controller is not a public authority or a body performing a public task, the Data Controller's activities do not include operations that require regular and systematic, large-scale monitoring of the Data Subjects, and the Data Controller does not manage special data, as well as personal data related to decisions regarding the establishment of criminal liability and crimes.
5. Legal basis for data management
5.1 Article 6 of the GDPR establishes in which cases the personal data of the Data Subjects may be processed:
"a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;
b) data management is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject prior to the conclusion of the contract;
c) data management is necessary to fulfill the legal obligation of the data controller;
d) data processing is necessary to protect the vital interests of the data subject or another natural person;
e) data processing is in the public interest or is necessary for the execution of a task performed in the context of the exercise of public authority delegated to the data controller;
f) data management is necessary to enforce the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence over these interests, which require the protection of personal data, especially if the data subject is a child."
5.2. Taking into account the nature of the Data Controller's activities, the legal basis for data management is primarily the Data Subject's voluntary, express consent based on adequate information (Infotv. § 5 (1) point a)), any contractual agreement between the Data Controller and the Data Subject or his employer/client/customer during the preparation of the obligation or after its creation, point 5.1.b) of the Regulation above and point 5.1.c) of the Regulation above. in the case of areas monitored by cameras, point 5.1.d) of the Regulation above. The Data Subject voluntarily contacts the Data Controller, or voluntarily registers or voluntarily uses the Data Controller's services, either during the performance of a task for his employer/client/customer. In the absence of the Data Subject's consent, the Data Controller only handles data if it is clearly authorized to do so by law.
5.3 If the data management is based on consent, the data controller must be able to prove that the data subject has consented to the processing of his personal data.
5.4. The Data Subject has the right to withdraw his consent at any time with regard to all data processing, the legal basis of which is the Regulation in point 5.1.a) of the Regulation above. Withdrawal of consent does not affect the legality of data processing based on consent and prior to withdrawal, as well as according to point 5.1.b) and/or c) and/or 5.1.d) of the Regulation above.
5.5. Data transmission to the Data Processors specified in the Notice may be carried out without the Data Subject's separate consent. The release of personal data to third parties or authorities - unless otherwise provided by law - is only possible on the basis of a legally binding official decision or with the Data Subject's prior express consent.
5.6. When the User accesses certain websites, the Data Manager collects the User's IP address in connection with the provision of the service, in view of the legitimate interest of the Data Manager and for the reason of the legal provision of the service (e.g. to filter out illegal use or illegal content), even without the User's separate consent. records.
5.7. When entering the e-mail address and data provided during registration (e.g. user name, ID, password, etc.), any User assumes responsibility for ensuring that the e-mail address provided or using the data provided by him, only he uses the service. In view of this responsibility, any responsibility related to logins to a specified e-mail address and/or data shall be borne solely by the User who registered the e-mail address and entered the data.
6. Purpose of data management
The data must be handled legally and fairly, as well as in a transparent manner for the Data Subject. The Data Controller strives to ensure that only such personal data is processed that is essential for the realization of the purpose of data management and suitable for achieving the purpose. Personal data can only be processed to the extent and for the time necessary to achieve the purpose.
The purpose of data management is primarily the operation of the Website and the provision of the Data Controller's services, the creation and fulfillment of commercial and contractual relationships.
Purpose of data management based on the above:
● identification of the Data Subject, contact with the Data Subject
● Preparation of the contract created during the purchase/booking of an appointment on the Website, fulfillment of the contractual obligations by the Data Controller, enforcement of its rights;
● provide the Data Subject with concise, transparent, understandable and easily accessible information
● the establishment and performance of legal transactions between the Data Controller and the Data Subject within the scope of the Data Controller's activities
● fee collection and invoicing in case of use of a fee-based service
● fulfilling the obligations imposed on the Data Controller, exercising the Data Controller's rights
● protection of the Data Subject's rights.
7. Source of data
The Data Controller only handles Personal Data provided by the Data Subjects or legal entities using the Data Subjects' services (work) for the purpose of preparing/fulfilling the transaction, and does not collect data from other sources.
The data is entered during the Data Subject's registration. The Data Subject provides his name, e-mail address and password during registration.
For the first time, you fill out the general health and stamp declarations, which are an essential condition for class participation.
8. Scope of managed data
The Data Controller only handles personal data provided in accordance with point 8. The processed data are as follows:
The data managed by the Data Controller can be classified into the following groups based on the purpose of data management:
● Data required for registration: In the framework of the registration required for purchasing on the Website, the Data Subject enables purchasing/booking an appointment from the webshop by entering his/her last name, first name, e-mail address, password, telephone number and home address.
● Billing data. If the Data Subject provides consideration to the Data Controller, the Data Controller manages the data related to payment and invoicing (payment method, details of the device used for payment, in the case of invoicing, the customer's name, address, tax number). The legal basis for data management is partly the Data Subject's consent, partly the legislation on taxation and accounting. The purpose of data management is invoicing and fee collection.
In addition to the above, the Data Controller manages the technical data, including the IP address, as described in point 13.
9. Description of the data management process
The source of the data is the Data Subject, or a legal entity with an employment/contract/enterprise legal relationship with him, who uses the data (i) during the possible registration and/or (ii) during the preparation, creation or performance of the legal transaction and/or (iii) the newsletter or XLVIII of 2008 TV. Enter it when making a statement related to a direct inquiry according to Section 6 (1). Entering the data on the registration form is mandatory, unless the contrary is expressly stated.
The Data Subject provides the data independently, the Data Controller does not provide any mandatory guidelines in this regard, and does not impose any content expectations. The Data Subject expressly consents to the processing of the data provided by him. In addition to the data requested by the Data Controller, the Data Subject is entitled to provide other data in his profile, the legal basis for data management in this case is also the Data Subject's voluntary consent.
If the Data Subject registers for a promotion organized by the Data Controller (e.g. on Facebook) and provides the data requested there, he accepts the data management information related to the given promotion. In this case, by entering the data, the Data Subject does not register on the Website, but consents to the processing of the data provided as specified in the information of the promotion.
10. Data management related to documents
12. Data management for advertising purposes, sending newsletters
If the Data Subject agrees, the Data Controller will contact the Data Subject at the provided contact details and send him an advertisement using the direct inquiry method. Advertising can be sent by post, by phone (including SMS), or by e-mail (including Messenger). The Data Subject may withdraw his consent at any time without giving reasons.
The Data Controller's system can automatically record the IP address of the Data Subject's computer, the start time of the visit, and in some cases – depending on the computer settings – the type of browser and operating system. The data recorded in this way cannot be linked to other personal data. Data management is for statistical purposes only.
Cookies enable the Website to recognize, identify and record previous visitors. Cookies help the Data Controller, as the operator of the Website, to optimize the Website and to design the Website's services according to the Data Subjects' habits. Cookies are also suitable for
● remember the settings, so that the Data Subject does not have to record them again when he goes to a new page,
● they remember the previously entered data, so they do not have to be typed in again,
● analyze the use of the website in order to ensure that, as a result of the improvements implemented using the information obtained in this way, it functions as much as possible in accordance with the Data Subject's expectations, the data subject can easily find the information he is looking for, and
● they monitor the effectiveness of our ads.
If the Data Controller displays various content on the Website using external web services, this may result in the storage of some cookies that are not controlled by the Data Controller, so it has no influence on the data collected by these websites or external domains. Information about these cookies can be found in the regulations for the specific service.
14. Data transfer
The Data Controller will only transmit personal data to a third party if the Data Subject has clearly consented to it – knowing the scope of the transmitted data and the recipient of the data transmission – or if the data transmission is authorized by law.
The Data Controller is entitled and obliged to forward all Personal Data at his disposal and legally stored by him to the competent authorities, which he is required by law or legally binding authority to forward Personal Data. The Data Manager cannot be held responsible for such Data Transmission and the resulting consequences.
The Data Controller always documents data transmissions and keeps a record of data transmissions.
15. Data processing
The Data Controller is entitled to use a data processor to carry out its activities. The data processors do not make independent decisions, they are only entitled to act according to the contract concluded with the Data Controller and the instructions received. The Data Controller checks the work of the data processors. Data processors are entitled to use additional data processors only with the consent of the Data Controller. The Data Controller may only use data processors who provide adequate guarantees for the implementation of appropriate technical and organizational measures to ensure the compliance of data management and the protection of the rights of the data subjects.
The data processor may not use additional data processors without the prior written authorization of the Data Controller on a case-by-case or general basis. In the case of general written authorization, the data processor informs the Data Controller of any planned changes that affect the use of additional data processors or their replacement, thereby providing the Data Controller with the opportunity to object to these changes.
The Data Controller indicates the data processors used in the Information Sheet.
• Data processors used by the Data Controller:
• Aerial Yoga Hunagry (1061. Budapest, Bajcsy Zsilinszky út 31. 3/8•
• OTP Bank Plc. (11702074-21451841)
• Pay Paypal
16. External service providers
The Data Controller does not use external service providers.
17. Tasks related to data security
The Data Controller ensures the security of the data, takes the technical and organizational measures and establishes the procedural rules that are necessary to enforce the governing legislation, data and privacy protection rules. The Data Manager protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.
The Data Controller and the data processor implement appropriate technical and organizational measures taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the variable probability and severity of the risk to the rights and freedoms of natural persons. , to guarantee a level of data security appropriate to the degree of risk.
In the context of the above, the Data Controller:
● takes care of measures to ensure protection against unauthorized access, including the protection of software and hardware devices, as well as physical protection (access protection, network protection);
● takes measures to ensure the possibility of restoring data files, about regular backups;
● arranges for virus protection.
18. Duration of data management
The Data Controller deletes the Personal Data,
a) If it turns out that the data is being handled illegally, the Data Controller will execute the deletion immediately.
b) If requested by the Data Subject (with the exception of data processing based on legislation).
The Data Subject may request the deletion of data processed on the basis of the Data Subject's voluntary consent. In this case, the Data Controller will delete the data. Deletion can only be refused if the law authorizes the processing of the data. In all cases, the Data Controller provides information on the refusal of the deletion request and on the law enabling data management.
c) If it becomes known that the data is incomplete or incorrect - and this situation cannot legally be rectified - provided that deletion is not excluded by law.
d) If the purpose of the data management has ceased or the statutory period for storing the data has expired;
Deletion can be refused (i) if the Personal Data is authorized by law; and (ii) necessary for legal protection and enforcement.
e) It was ordered by the court or the National Data Protection and Freedom of Information Authority
If a court or the National Authority for Data Protection and Freedom of Information legally orders the deletion of the data, the deletion will be carried out by the Data Controller.
Instead of deletion, the Data Controller - after informing the Data Subject - blocks the personal data, if the Data Subject requests this, or if, based on the available information, it can be assumed that the deletion would harm the legitimate interests of the Data Subject. The personal data locked in this way can only be processed as long as the data management purpose that precluded the deletion of the personal data exists. The Data Controller marks the personal data it manages if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.
In the case of data management ordered by law, the deletion of data is governed by the provisions of the law.
In the event of deletion, the Data Controller renders the data unsuitable for personal identification. If required by law, the Data Controller destroys the data carrier containing personal data.
In each case, the Data Controller informs the Data Subject of the refusal of the deletion request, indicating the reason for the refusal of the deletion. After fulfilling the request to delete personal data, the previous (deleted) data can no longer be restored.
Newsletters sent by the Data Controller can be unsubscribed via the unsubscribe link in them. In the event of unsubscribing, the Data Controller automatically deletes the Data Subject's Personal Data in the newsletter's database.
19. Rights of Data Subjects related to data management
19.1. The Data Controller informs the Data Subject about the handling of the data at the same time as the contact is made. The Data Subject is also entitled to request information about data management at any time.
The Data Subject has the right to receive feedback from the Data Controller as to whether his personal data is being processed, and if such data processing is in progress, he is entitled to receive access to the personal data and information about the purpose of data processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data has been or will be communicated, the planned period of storage of the personal data, or, if this is not possible, the criteria for determining this period. The Data Subject has the right to request from the data controller the correction, deletion or restriction of the processing of personal data concerning him and to object to the processing of such personal data. You also have the right to submit a complaint to a supervisory authority, and if the data were not collected from the data subject, all available information about their source.
19.2. The data subject has the right to have the data controller correct inaccurate personal data concerning him without undue delay upon request. Taking into account the purpose of the data management, the data subject is entitled to request the completion of incomplete personal data, including by means of a supplementary statement.
19.3. With the exception of data processing mandated by law, the Data Subject may request the Data Controller to delete the personal data concerning him without undue delay. The Data Controller informs the Data Subject of the deletion.
19.4. The Data Subject may object to the processing of his personal data as specified in Infotv.
19.5. The Data Subject may submit his request for information, correction or deletion in writing, in a letter addressed to the headquarters or location of the Data Controller, or to the Data Controlleraerialyogahungary@gmail.comin an e-mail sent to
19.6. The Data Subject may request that the processing of his/her Personal Data be limited by the Data Controller if the Data Subject disputes the accuracy of the processed Personal Data. In this case, the limitation applies to the period that allows the Data Controller to verify the accuracy of the Personal Data. The Data Controller marks the Personal data it manages if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.
The Data Subject may request that the processing of his Personal Data be restricted by the Data Controller even if the Data Processing is unlawful, but the Data Subject opposes the deletion of the processed Personal Data and instead requests a limitation of its use.
The Data Subject may also request the restriction of the processing of his Personal Data by the Data Controller if the purpose of the Data Processing has been achieved, but the Data Subject requires their processing by the Data Controller for the presentation, enforcement or defense of legal claims.
19.7. The Data Subject has the right to receive the personal data concerning him/her provided to a data controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another data controller without being hindered by the data controller whose made the personal data available to you.
19.8. If the Data Controller does not comply with the Data Subject's request for rectification, blocking or deletion, within 30 days of receiving the request, the Data Controller shall notify the reasons for rejecting the request for rectification, blocking or deletion in writing. In the case of rejection of the request for correction, deletion or blocking, the data controller informs the Data Subject of the possibility of a judicial remedy, as well as the possibility of turning to the National Data Protection and Freedom of Information Authority.
19.9. The Data Subject can make the above declarations related to the exercise of his rights at the data controller's contact details in point 2.
The Data Subject can file a complaint directly with
To the National Data Protection and Freedom of Information Authority
(address: 1055 Budapest, Falk Miksa u 9-11. The correspondence address: 1363 Bp. Pf. 9.; phone: +36-1-391-1400; e-mail: firstname.lastname@example.org; website: www.naih .hu) as well.
In case of violation of the rights of the Data Subject, Infotv. to go to court on the basis of § 22, paragraph (1). Adjudication of the lawsuit falls within the jurisdiction of the court. At the option of the Data Subject, the lawsuit can also be initiated before the court of the Data Subject's place of residence or residence. At the request of the Data Controller, the Data Subject will inform the Data Subject in detail about the possibility and means of redress.