Ájurvédikus központunkról | Budapest

About data management related to the activities of Hrishikesh Ayurveda Terápia Ltd. and the operation of the website https://www.hrishikeshayurveda.com/

Introduction

This Information Notice provides information on the activities of Ayurveda Terápia Kft. (hereinafter referred to as the "Data Controller") with regard to the data of natural persons in the course of its tasks as detailed below, in accordance with the EU General Data Protection Regulation 2016/679 (hereinafter referred to as the "GDPR"). It will inform you of the rules it follows in carrying out these activities and of the measures it has taken to protect the data it uses. Last but not least, it provides information on the rights of data subjects to the protection of their interests.

Data processing takes place whenever the Data Controller concludes a contract with its customers, business partners, employees or issues invoices to its business partners, performs/carries out camera surveillance. Occasionally, in order to comply with its legal obligations, it transfers part of these personal data to an external partner and/or public authority.

The Data Controller shall provide the mandatory information under Article 13 of the GDPR to data subjects and interested parties as follows:

1. Identification data of the data controller:

Name: Hrishikesh Ayurveda Teraphy Ltd.

Place of residence and postal address:1026 Budapest, Sodrás utca 16. 1. ajtó

Tax number: 32409068-2-41

telephone: +36 20 622 3588

e-mail: hrishikeshayurveda2018@gmail.com

2. Principles for the processing of personal data

The Data Controller acts in accordance with the following principles:

Purpose limitation principle: shows the purpose for which the Data Controller stores and uses the data of natural persons in the course of its activities.
The principle of data minimisation: that is, the scope of data processed is appropriate for a given purpose and only to the extent necessary for that purpose.
Principle of accuracy: according to this principle, personal data which are inaccurate, both for the Data Subjects and for the purposes of legal compliance, will be corrected or deleted by the Data Controller without undue delay.

The controller receives personal data directly from the data subjects. It accepts the obligation to perform the tasks related to the protection of personal data processed in the context of its activities, where appropriate, to help demonstrate to the Authorities, business partners and customers concerned that it has acted in compliance with the Regulation and the Info Act and other relevant legislation (accountability principle).

3. Definitions

The following terms are used in the Privacy Notice:

"personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"data subject": the natural person in respect of whom the Controller processes personal data.

"the data subject's consent" means the data subject's freely given, specific and informed indication of his or her wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her.

"Controller" means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

"data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Data Protection Officer": a person, as defined by the GDPR, who is an expert in the field of personal data protection in the company employing/assigning him/her, or who liaises with the data protection authority (DPA). In some cases - provided for by law - his/her employment may be mandatory, in other cases it may be recommended.

4. Order of data processing

In the course of its activities, the Data Controller shall process the data of employees, business partners, interested parties and customers, which it has obtained in any way and to any extent, in accordance with the provisions of this Privacy Policy, subject to the obligation of confidentiality, in accordance with the applicable Hungarian legislation and the GDPR.

The Data Controller may lawfully store the data received in the course of its activities and related tasks, may organise them within the limits of the law and may use them to the extent necessary.

The controller shall immediately cease the processing it has carried out if its purpose has been fulfilled or has ceased, or at the data subject's discretion if the data subject so requests.

The Data Controller does not use profiling or automated decision-making.

5. Details of processing related to the controller's activities, by purpose

Purpose of data processing: contracting with business partners

Legal basis: legal obligation (GDPR Article 6 (1) (c); 2013. évi V. tv. a Polgári törvénykönyvről
Mode: on paper
Managed data : for sole traders: name, telephone number, e-mail address;

in the case of a partner who is not a natural person (company, other organisation), the name, telephone number and e-mail address of the employee/contact person who will manage the contract

Data processing period: 8 years after the termination or expiry of the contract (including financial and accounting context)
Access to data: Data controller

Purpose of data processing: processing of data of applicants, evaluation of applications, CVs

Legal basis: consent of the data subject (Article 6(1)(a) GDPR)
Mode: paper and electronic
Processed data: name, date and place of birth, mother's name, address, qualifications, photograph, telephone number, e-mail address, employer's record of the applicant
Duration of data processing: until the application or tender is assessed. The personal data of unsuccessful applicants will be deleted within 30 days, as will the personal data of any person who withdraws his/her application or candidature.
Access to the data: the manager of the Data Controller who is entitled to exercise the rights of an employer, employees performing labour-related tasks.
There is no data transmission.

Purpose of data processing: occupational health fitness

legal basis: fulfilment of a legal obligation (Article 6 (1) (c) GDPR; 2012. évi I. tv a munka törvénykönyvéről;
mode: on paper
data processed: the fact of the suitability for the job and the conditions required for this.
duration of data processing: until termination of employment
access to the data by: the manager of the Data Controller who is entitled to exercise the rights of an employer, an employee who is an employment administrator

Purpose of data processing: employment

legal basis: fulfilment of a legal obligation (GDPR Article 6 (1) (c); 2012. évi I. tv a labor code; 2013. évi V. tv. a civil code
mode: paper and electronic
the data processed: name of the employee, Name at birth, Place and date of birth, Nationality, Mother's name, Place of residence, Tax identification number. Social security number, Bank account number, Membership of voluntary pension fund, Pensioner's identification number, Current account number, Start of employment, Number of hours worked per week, Copy of school leaving certificate, Certificate of suitability for work, Job title, Details and number of children, Number of driving licence, (...) other data required by law
Duration of data processing: usually for 5 years after the end of the employee's employment, but some data (e.g. related to the payment of wages or the establishment of pension rights) may be processed for longer periods in accordance with the applicable legislation: 8 to 50 years, or cannot be deleted.
Access to the data: data controller, employee who performs labour administration tasks, authorised accountant (service provider) , public authorities

The employee has the right to be informed about the personal data recorded and how it is processed. This right includes the right to request a copy of his/her personal data from the register.

Purpose of data processing: use of a discount (use of a gift voucher)

Legal basis: fulfilment of a legal obligation (GDPR Article 6 (1) (c)); Act CXVII of 1995 on Personal Income Tax; Act CXXVII of 2007 (VAT Act);
Mode: paper and electronic
Data processed: name of the beneficiary
Duration of data processing: 8 years due to the financial and accounting aspects of the benefit
Access to the data: data controller

Purpose of the processing : booking on the website

Legal basis: consent of the data subject (Article 6(1)(a) GDPR)

Mode: electronically
Managed data: Name, e-mail address
Duration of processing: until consent is withdrawn.
Access to the data: data controller

Attention! The Data Controller draws your attention to the fact that you have the right to refuse or withdraw your consent to data processing (your written request will be complied with within 5 days), or, if you experience unlawful processing, to seek redress before the Data Protection Authority (DPA) or the Court of Justice.

If you refuse data processing, you will unfortunately not be able to register on our website. However, you can shop without registering via our website or we will be happy to welcome you in person at our shop.

Purpose of processing: contacting you from the website (using the website form)

Legal basis: consent of the data subject (Article 6(1)(a) GDPR)
Mode: electronically
Data processed: name, telephone number, e-mail address
Duration of processing: until consent is withdrawn.
Access to the data: data controller

Purpose of data processing: newsletter subscription

Legal basis: consent of the data subject (Article 6(1)(a) GDPR)
Mode: electronically
Data processed: name, e-mail address
Duration of processing: until consent is withdrawn.
Access to the data: data controller

Purpose of data processing: social media use

Service provider: Facebook (Meta); Description of the service provider's privacy policy: https://www.facebook.com/privacy/center

Legal basis: consent of the data subject (Article 6(1)(a) GDPR)
Mode: electronically
Managed data: name, picture
Duration of processing: until the withdrawal of consent by the Data Controller, drawing attention to Facebook's processing
Access to data: all users who visit the Facebook profile

Purpose of data processing: invoicing

Legal basis: fulfilment of a legal obligation (Article 6 (1) (c) GDPR; 2000 C. tv on accounting; 2017 CL. tv on the taxation)
Mode: electronically
Processed data: name, address/location, tax number
Duration of processing: 8 years
Access to data: data controller, NAV, bank

Information on the use of cookies on this website:

Data subject: any person who visits the website of the Data Controller https://www.hrishikeshayurveda.com/

During the use of the website, certain data may be recorded in your browser, but they are not accessible to the Data Controller. Such data includes non-personally identifiable information collected for statistical purposes, such as tracking the number of visitors to the website, the number of users who have downloaded each page of the website and the domain names of visitors' Internet service providers. We use this statistical information to understand how our visitors use our websites, thereby improving our services. No personal data is processed in this process.

During the use of the website, for various reasons, certain data of the user's computer is stored on our server (e.g. the name of the user's service provider, the data of the page from which the user accessed the website of the institution, the IP address of the user), which is implemented by "cookies". These data are used for statistical purposes only and are not linked to any other information that would allow the Data Subject to be personally identified.

The IP address

An IP address (Internet Protocol address) is a string of numbers that identifies your computer when you connect to an Internet service provider, either a local area network (LAN) or wide area network (WAN). The IP address is used by web servers to automatically identify your computer while you are connected online. The web service provider of the data controller may collect IP addresses for the purpose of monitoring site usage. We do not associate users with IP addresses for the purpose of collecting personal information, which means that although all users are recorded, they remain anonymous (non-identifiable).

Cookies (Cookies)

This website may also use a so-called "cookie" technique. A cookie is a small text file that the website provider places on your computer's hard drive. Cookies provide additional functionality to the website and help us to measure its use more accurately. Whenever we use cookies, we do not collect information that personally identifies you.

You have the option to allow or refuse cookies. Your Internet browser will usually automatically enable cookies, but you can change your browser settings to refuse cookies or, if you prefer, to receive a warning before a cookie is stored. Please refer to your Internet browser instructions or help screen to learn more about these features and to fine-tune your cookie settings. If you choose to decline cookies, you may not be able to take full advantage of the interactive features of our website or other websites.

Deleting cookies

If you do not accept the use of cookies, certain features will not be available to you. For more information on how to delete cookies, please click on the links below:

Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11

Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Mozilla: https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito

Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

Chrome: https://support.google.com/chrome/answer/95647

Edge: https://support.microsoft.com/hu-hu/help/4027947/microsoft-edge-delete-cookies

Purpose of data processing: camera surveillance (protection of human life, physical integrity and property)

Legal basis: legitimate interest of the controller (Article 6(1)(f) GDPR)
Mode: electronically
Data processed: facial image (image capture; the camera does not record sound)
Duration of processing: 14 days
Access to the data: data controller

Further information related to camera surveillance

The Data Controller shall not use electronic surveillance systems in any premises where such surveillance could offend human dignity, in particular in changing rooms, showers, toilets and their lobbies, or in premises designated for the purpose of employees' breaks from work.

The data storage unit of the cameras is stored in a physically protected, locked room, inaccessible to unauthorised persons. The viewing of images taken by the cameras is password-protected and only authorised by the person specifically authorised to do so. The viewing is logged in a retrievable manner.

If you are affected by any of the recordings and wish to exercise your rights, please notify the Data Controller within 10 days. After that, it will not be possible to view or record the recordings, as the system will automatically delete them permanently.

The Data Controller does not classify or consider the justification of the request received, but immediately ensures that the record is saved and blocked in accordance with the legal requirements.

In case of an official request, the Data Controller shall hand over the backed-up recordings to the requesting organisation. If no request is made in relation to the blocked record, the record shall be permanently deleted by the Data Controller after 30 days from the date of its blocking.

In all cases, the record (one copy) will be issued free of charge at the request of the person concerned.

Awareness-raising: the use of an electronic monitoring system shall be indicated by an attention-getting sign in a prominent place in the area, in such a way as to inform persons wishing to be present in the area. This information shall be provided for each camera (separately).

Area monitored by camera!

info: https://hrishikeshayurveda.com

/administrative

A precise description of the area monitored by the cameras can be requested from the Data Controller. If you wish to view them, please contact the Data Controller at the indicated telephone number or e-mail address.

6. Transfer, transmission of personal data

The Data Controller sometimes transfers personal data to third parties in connection with its activities. The transfer of data may take place on paper or electronically, in both cases ensuring that the data is only accessible to the recipient.

paper transmission: by hand delivery or by post, expressly addressed to the addressee
electronically (e-mail): no personal data will appear in the text of the message. If necessary, personal data is sent in an attached Excel or compressed file, in each case with a unique password. The password will be transmitted to a specific person (e.g. by phone, SMS), so that the Data Controller can guarantee that the personal data is inaccessible to unauthorised persons throughout the entire process of transmission.

In case of electronic data transmission, the data will be sent from a computer with a unique password, protected against viruses, used exclusively for the activities of the Data Controller.

Data are transferred from the controller - with the legal basis of "performance of contracts" or "legal compliance" - to the following partners acting as processors or as independent data controllers:

a. Tax authority (NAV):

contact address: 1016 Budapest, Krisztina krt. 99.
legal basis for data transfer: fulfilment of a legal obligation (Article 6 (1) (c) GDPR; 2000 Act C of 2000 on Accounting; 2017 Act CL of 2017 on the Tax Code)
Purpose of the transfer: legal compliance
data transmitted: name, address, tax number (for sole traders)
Date and means of transmission: ad hoc, by electronic means

b. Accounting partner:

LG Accurity Kft.
elérhetősége: 1046 Budapest, Fóti út 87.
legal basis for the transfer: performance of a contract (Article 6(1)(b) GDPR)
Purpose of data transmission: finance, accounting,
data transmitted: name, address, tax number, employer payment details
Date and means of transmission: ad hoc, by electronic means

c. Financial partner:

OTP BANK NYRT, BUDAPEST REGION
Contact: 2040 BUDAÖRS, SZABADSÁG U. 131/A
Purpose of the transfer: payment of wages, financial settlement of accounts
Legal basis for the transfer: performance of a contract (Article 6(1)(b) GDPR)
Scope of data transmitted: surname, first name, social security number, bank account number
Date and means of transmission: ad hoc, by electronic means

d. Invoicing software provider (online service)

KBOSS.hu Kft
Customer service: https://www.szamlazz.hu/szamla/ugyfelszolgalat
Legal basis for data processing: performance of a contract (Article 6(1)(b) GDPR); performance of a legal obligation (Article 6(1)(c) GDPR; Act C of 2000 on Accounting; Act CL of 2017 on the Tax Code)
Data transmitted: name of the data subject, billing name, billing address, e-mail address
Purpose of the data transfer: issuing an invoice by providing a link to NAV
Time and means of transmission: occasionally, electronically

7. Rights of the data subject

The right to information: The data subject may request information from the Data Controller about the processing of his/her personal data within the period of processing. The Data Controller shall inform the Data Subject in writing and in an intelligible form, within the shortest possible period of time from the date of the request, but not later than 30 days, of the data processed, the purposes, legal basis and duration of the processing and, where the data have been further processed, the persons to whom and for what purposes the data are or have been disclosed.

Right to rectification of data: The data subject may request the Controller to rectify his/her personal data within the period of processing. The Data Controller shall comply with the request within 15 days.

The right to erasure ("right to be forgotten"): The data subject has the right to request the erasure of his/her personal data, which the Data Controller will comply with within 15 days at the latest. The right to erasure does not apply where the Controller is legally obliged to store the data further, nor does it apply where the Controller is entitled to further process the personal data in accordance with Article 6(5) of the Infotv.

Right to block the data: the Data Subject may request the Controller to block the personal data if the final deletion of the data would harm the Data Subject's legitimate interests. The personal data thus blocked may be processed only for as long as the purpose which precluded the deletion of the personal data persists.

Right to data portability: under this right, the data subject has the right to receive personal data concerning him or her which he or she has provided to a Data Controller in machine-readable format and to transmit these data to another Data Controller without hindrance from the Data Controller to which he or she has provided the personal data. In the context of data processing on the Internet, it is not sufficient to ensure the right to erasure, since data are not only stored by one data controller but also by many other data carriers, and search engines will now make previously stored versions available. Under the new General Data Protection Regulation rules, given the specificities of the internet, we will also allow data subjects to delete their data at all possible access points, as this is the only way to exercise their rights effectively.

The right to object: the Data Controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide on its merits and inform you in writing of its decision. If the Data Controller does not comply with the data subject's request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, communicate in writing or, with the data subject's consent, by electronic means, the factual and legal grounds for refusing the request for rectification, blocking or erasure.

8. Other provisions on data management

Termination of processing

The Controller shall delete any personal data,

the processing of which has ceased to serve a purpose, or
for the processing of which the data subject's consent is not available,
whose processing has been withdrawn or prohibited by the data subject, or
for the processing of which there is no legal basis.

Instead of deletion, the Data Controller shall block the personal data if the data subject so requests or if, on the basis of the information available to him or her, it is likely that deletion would harm the data subject's legitimate interests. The personal data thus blocked shall be processed only for as long as the processing purpose which precluded the deletion of the personal data persists.

9. Our privacy complaint handling procedures

The procedure: the Data Controller shall treat as a complaint and deal with any written communication from the natural person concerned to the Data Controller, where the communication concerns a complaint about the Data Controller's actions or omissions incompatible with the provisions of this Privacy Notice (hereinafter referred to as "the complaint").

Complaints may be made in writing within 30 days of the discovery of the specific breach, by sending a notification to the Data Controller's e-mail or postal address. Failure to comply with the time limit shall result in forfeiture of rights.

The complaint must contain at least: the name, address (e-mail address), telephone number of the complainant, the date of the complaint, the specific description of the complaint, the signature of the complainant and the fact that he/she consents to the processing of the data contained in the complaint in the procedure related to the complaint, at the same time as signing the complaint. In the absence of these data and the declaration, the Data Controller shall refrain from investigating the complaint and shall notify the Complainant in writing.

The Data Controller shall process the data of the Complainant solely in connection with the complaint, and shall not disclose it to third parties, except for requests by authorities or courts as provided by law, nor use it for business purposes.

The Data Controller shall investigate the complaint and provide a reasoned written response within 30 days of receipt in the same way as the complaint was lodged (by e-mail or post). If the 30-day period is not sufficient to investigate the complaint, the Data Controller shall inform the complainant accordingly. In this case, we will provide a reasoned response in writing within 3 months of the notification, in the same way as the notification.

If, after investigating the complaint, the Data Controller determines that the Complainant's complaint was factual and justified, it shall inform the Complainant of the manner and extent of the remedy for the breach at the same time as it assesses the complaint.

In case of rejection of the complaint, the Data Controller shall inform the Complainant in writing that he/she may further submit the complaint to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as "the Authority") or, in case of a complaint, to the Court of Justice. The National Authority for Data Protection and Freedom of Information (NAIH) can be contacted below.

The Infotv. Article 52 (1), the Authority will only investigate complaints if the data subject has already contacted the data controller prior to his/her notification to the Authority in connection with the exercise of the rights specified in the notification.

In this context, the data subject may request the controller to inform him/her about the processing of his/her personal data, to rectify his/her personal data and to erase or block his/her personal data, except for mandatory data processing, pursuant to Article 14 of the Data Protection Act.

10. Procedural rule on the handling of the data subject's objection

The data subject may object to the processing of his or her personal data at any time. The controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether it is justified and inform the applicant of its decision by means of a formality which is in conformity with the request and can be proven (e.g. in writing, by e-mail).

If the Data Controller establishes that the data subject's objection is justified, the Data Controller shall immediately cease the processing, including further collection and transmission, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data subject to the objection was previously disclosed and who are obliged to take measures to enforce the right to object.

If the data subject disagrees with the decision of the Data Controller or if the Data Controller fails to comply with the 15-day time limit, the data subject may, within 30 days of the notification of the decision or the last day of the time limit, apply to the court or the Data Protection Authority (DPA) to enforce his or her rights.

The Authority facilitates the enforcement of data subjects' rights through the issuance of form letters: https://naih.hu/panaszuegyintezes-rendje.html

Reporting a complaint: NAIH 9-11, Falk Miksa Street, 1055 Budapest,

E-mail address: ugyfelszolgalat@naih.hu

tel.: +36 (1) 391-1400

website: www.naih.hu

11. Data security

The Data Controller stores the personal data of the data subjects electronically only on the computer used in the business, which is protected both electronically and physically. This prevents unauthorised access, modification, transmission, deletion or destruction, including accidental destruction, damage and inaccessibility due to technical alteration.

In all cases, the paper-based data storage is carried out in a locked room, in a locked cabinet, inaccessible to unauthorised persons.

12. Data breach and its handling

Data breach: any act, intervention or omission which gives rise to unlawful processing or processing of personal data, in particular unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage.

Anyone who notices such a situation in connection with the activities of the Data Controller should report it as soon as possible by telephone: +3630 181 4858

The Data Controller records the notification and starts investigating it without delay. If the data breach occurred in an IT system, it shall inform the service providers responsible for the operation of the databases concerned.

In order to investigate the notification and handle the incident, the Data Controller collects all information that may be necessary to identify the incident, mitigate the potential damage and develop further measures to prevent it. As far as possible, it records.

the time and place of the incident,
a description of the incident, its circumstances, its effects,
the scope and quantity of data compromised in the incident,
the persons affected by the compromised data

In addition, the Data Controller shall notify the Authority (NAIH) within 72 hours, as required by law.

Data Protection Officer: the Data Controller does not process large amounts of personal data and/or personal data that may be considered particularly sensitive in connection with its main activities, it is not a public authority, therefore it does not consider the appointment or employment of a Data Protection Officer to be justified, nor is it required to do so by the applicable legislation.

Note: The Data Controller reserves the right to update this Privacy Notice on an ongoing basis, and to unilaterally amend the information detailed herein, also in accordance with changes in legislation. The amended (current) Privacy Notice is available on the Controller's website.

Budapest, July 26, 2023

Hrishikesh Ayurveda Therapy Ltd.

Hrishikesh Ayurveda Masszázsszalon

Privacy notice