|
Privacy Policy of the EISDEV Consulting Limited Liability Company
I. Introduction The purpose of this Privacy Policy is to set out the data protection and data management policy of EISDEV Consulting Ltd. (hereinafter referred to as the "Controller") in relation to the use of the customer management system (hereinafter referred to as the "System") developed and operated by EISDEV Consulting Ltd. and to provide the data subjects with appropriate information on the processing of their personal data. The Data Controller is committed to ensuring that in its activities it fully complies with the legal requirements for the processing of personal data as described below.
II. Details of the Data Controller
Name of Data Controller: EISDEV Consulting Limited Liability Company Registered office of Data Controller: 2724 Újlengyel, Nyári Pál utca 2. Company registration number: 13-09-168979 Tax number: 24867719-2-13 Legal representative: Ferenc Pályi, managing director Email: adatkezeles@eisdev.hu Name of the system used by the Data Controller: foglalok.ai
III. Applicable laws and definitions
Data controller: a natural or legal person or a company with legal personality who or which, alone or jointly with others, determines the purposes of data processing, makes and implements decisions relating to data processing (including the means used), or has them implemented by a data processor commissioned by it. for the purposes of this data processing notice, EISDEV Consulting Kft. Customer: Natural or legal persons who use the System developed and operated by the Data Controller on the basis of a contractual relationship for the purpose of carrying out their own business activities. Customer's Clients: Natural persons who use or wish to use the commercial services provided by the Customer. Data Subjects: The Customer's Clients who, by accepting this information notice and providing their data, voluntarily consent to the processing of their data and whose personal data is affected by the data processing. Processing: the performance of technical tasks related to data controlling operations. Data processing: any operation or set of operations performed on data, regardless of the procedure used, in particular collection, recording, organisation, storage, alteration, use, retrieval, disclosure, alignment or combination, blocking, erasure or destruction, as well as preventing further use of the data, and the taking of photographs, sound recordings or video recordings. Data transfer: making data available to a specific third party. Data erasure: rendering data unrecognizable in such a way that it cannot be restored. Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Third party: a natural or legal person or any other body other than the Data Subject, the Customer, the Data Controller or those persons who, under the direct authority of the Data Controller or data processor, are authorised to process personal data. Consent: a voluntary and definite expression of the Data Subject's will, based on adequate information, by which he or she gives his or her unambiguous consent to the processing of personal data relating to him or her, either in full or for specific operations. Personal data: data relating to an identified natural person, in particular their name, identification number, and one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity, as well as conclusions that can be drawn from the data about the Data Subject that are not considered to be in the public interest or publicly available. Personal data includes, among other things, name, address, telephone number, and email address. The personal data processed by the Data Controller in the System is name and telephone number. System: the foglalok.ai online customer management system accessible via Facebook Messenger. Objection: a statement by the Data Subject objecting to the processing of their personal data and requesting the termination of data processing or the deletion of the processed data. Website: refers to the www.foglalok.ai website. Facebook profile: data set registered and recorded by the Data Subject, which is outside the scope of the Data Controller's operations. Facebook Messenger application: background application related to the operation of the System.
Applicable laws: • The Fundamental Law of Hungary; • Act CVIII of 2001 on certain issues related to electronic commerce services and information society services; • Act CXII of 2011 on the right to self-determination in information and freedom of information (hereinafter: Info Act); • Act V of 2013 on the Civil Code (hereinafter: Civil Code); • Act VI of 1998 on the promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed in Strasbourg on January 28, 1981; • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
IV. Data processing principles
The data processing carried out by the Data Controller complies with the data processing principles of the GDPR and the Infotv. Only personal data that the Customer or the Customer's Client voluntarily provides to the Data Controller or consents to the recording, processing, and use of will be recorded in the System developed and operated by the Data Controller (principle of voluntariness). Personal data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (principles of lawfulness, fairness and transparency). Personal data shall be collected only for specified, explicit and legitimate purposes and shall not be processed in a manner incompatible with those purposes (principle of purpose limitation). Personal data must be adequate and relevant for the purposes of data processing and limited to what is necessary (principle of data minimization). Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy). Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (principle of storage limitation). Personal data must be processed in such a manner that appropriate technical or organizational measures are taken to ensure the appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage (principle of integrity and confidentiality). The Data Controller is responsible for compliance with the principles and must be able to demonstrate such compliance (principle of accountability). In addition to the principles of data processing, the requirement for adequate information can be identified as a common requirement, as the Data Controller must inform the Data Subjects about the data processing in any case of data processing.
V. List of data processed, purpose, legal basis and duration of data processing
The Data Subject uses the System developed and operated by the Data Controller within the framework of the Facebook Messenger application, using the data of their own registered Facebook profile, and provides personal data, i.e. the use of the System does not require additional registration or the provision of any other data. The Data Controller expressly states that it does not process the Data Subject's profile data used in the Facebook application and related data.
1. During the use of the System by the Data Subject, the Data Controller performs data processing involving the following data:
• the Data Subject's name, • the Data Subject's telephone number • the Data Subject's profile picture, • the Data Subject's language, • the Data Subject's email address recording.
The purpose of data processing is to use the foglalok.ai System and to maintain contact. The legal basis for data processing is the voluntary consent of the Data Subject. The start of the data processing period is when the Data Subject provides their data, and the end of the data processing period is when the Data Controller receives the Data Subject's request for deletion of their data, or, in the absence of such a request, automatically at the end of the fifth year from the date the data was provided, i.e. after the general limitation period specified in the Civil Code has expired.
2. Additional data processing related to the use of the System, i.e. online appointment booking
The Data Controller informs the Data Subjects that, with regard to the data categories specified below, the primary recipient and actual data controller of the data is the Customer using the System for the purpose of supporting its own independent activities. The Data Controller is considered to be the Customer's data processor with regard to the following data. By accepting this Data Processing Notice, the Customer acknowledges that it has an immediate obligation to inform the Data Controller if Data Subjects submit a request for data erasure to it. The scope of data affected by data processing under this section
Data of the Customer's Clients:
• full name • mobile phone number • profile picture • language • email address
The purpose of data processing is the proper use of the System, i.e. making legal declarations related to the use of the Customer's business activities and maintaining contact. The legal basis for data processing is the voluntary consent of the Customer's Customers. The duration of data processing is from the recording of the data until the Customer's request for data deletion is received by the controller, or, in the absence thereof, automatically at the end of the fifth year from the date of provision of the data, i.e. after the expiry of the general limitation period under the Civil Code.
VI. Concluding contracts with customers, data transfer based on legislation, data security
If a contract for the use of the System is concluded between the Data Controller and the Customer, the parties shall specify in the contract the personal data of the contact person that are essential for the communication necessary for the performance of the contract. The scope of data affected by data processing according to this section is the name/telephone number/position/email address of the Customer or its employee. The purpose of data processing is to maintain contact between businesses and to fulfill the provisions of contracts. The legal basis for data processing is the fulfillment of contractual obligations. The duration of data processing is equal to the duration of the contractual relationship and the general limitation period prescribed by the relevant legislation. As a general rule, the Data Controller does not transfer the data it processes to third parties. Data may only be transferred if the Data Subject has given their express prior consent, or if required by law, or if requested by an authority with the power to do so under the law. The basic forum for data recording is the Data Controller's IT system. The Data Controller stores the personal data referred to above on the server of the company's own IT service provider. The Data Controller undertakes to ensure the security of the data in accordance with the provisions of the GDPR and the Infotv. Individuals who are in an employment or contractual relationship with the Data Controller are entitled to access and process certain personal data. With regard to the data contained in this privacy policy, the Data Controller's employees and contractual partners providing services to the Data Controller are bound by a confidentiality obligation under their contracts with the Data Controller, and contractual partners providing services to the Data Controller are bound by confidentiality obligations under their contracts with the Data Controller, pursuant to which they may not process the data they have access to for purposes other than those related to their legal relationship, nor may they transfer such data to third parties. The tasks, access rights, and obligations of persons involved in data processing are regulated by the Data Controller's internal regulations and data processing agreements. Employees are liable under labor law for compliance with these regulations, while contractual partners are liable under civil law. During the operation of IT systems, the necessary authorization management, internal organizational and technical solutions ensure that your data cannot fall into the hands of unauthorized persons and that unauthorized persons cannot delete, export or modify the data from the system. The data controller also enforces data protection and data security requirements on data processors. It keeps records of any data protection incidents and, if necessary, informs the Data Subject and, if necessary, the National Data Protection and Freedom of Information Authority (NAIH) of any incidents that arise. Personal data shall be accessed by persons acting within the sphere of interest of the data controller, in particular agents and employees, who need it to perform their duties and who are aware of and familiar with their obligations regarding data processing. The Data Controller pays particular attention to ensuring that all its agents and employees are familiar with its internal data protection protocol and process personal data in accordance with its provisions. The Data Controller undertakes to ensure the security of the data with the most modern and appropriate equipment and security rules, with particular regard to preventing unauthorized persons from accessing the data and the unlawful disclosure, deletion, or destruction of the data. It shall do everything in its power to prevent the accidental damage or destruction of data. The data controller shall also impose the above obligation on its employees involved in data processing activities.
The Data Controller never collect special data, i.e. data relating to racial origin, membership of a national or ethnic minority, political opinion or affiliation, religious or other beliefs, membership of interest groups, health, addictions, sex life, or criminal record.
The Data Controller accepts data protection-related inquiries at the following contact details:
Email: adatkezeles@eisdev.hu
Postal address: the Data Controller's registered office
VII. The rights of the Data Subject during data processing
During the period of data processing, Data Subjects are entitled to the following rights.
1. Right to information
The Data Controller is obliged to provide information about the essential aspects of data processing in an appropriate manner, in simple and accessible language, and in an easily accessible form (online or offline). At the time of obtaining personal data, or if the data subject subsequently requests information, the Data Controller shall provide the data subject with the Data Processing Notice and shall have the data subject sign a statement confirming that they have read, understood and accepted the contents thereof, or record their statement in a manner equivalent to a signature (including, but not limited to, consent given via electronic channels) . The data subject shall be entitled to request information at any time about the personal data concerning him or her processed by the data controller. The information may be requested by e-mail or by post at the address indicated in the information notice on the data processing in question. The data controller shall provide the requested information within 30 days of the request.
2. Right to erasure
The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay, and the Data Controller shall have the obligation to erase personal data concerning the Data Subject without undue delay. If the Data Controller has granted access to the data requested for erasure to third parties, it shall inform all those to whom it has disclosed the data concerned to erase all references to and personal data stored by them. The purpose of this is to ensure that, unless there is a legal or reasonable obstacle, the data concerned "disappears" from the databases that can be found. The deletion does not have to be carried out if the data processing is: • necessary for the exercise of the right to freedom of expression or information; • is necessary for the establishment, exercise, or defense of legal claims; • is necessary for compliance with a legal obligation; • is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, and erasure would render the purpose of the data processing impossible or seriously jeopardize it.
The Data Controller shall also delete the personal data contained in its documentation relating to the data subject if the purpose for which the personal data was processed has ceased to exist. The Data Controller notes that, as a general rule, data processing is carried out in the form of electronic documentation; in the case of any paper-based documentation, its destruction must be recorded in a protocol so that this fact can be proven to the competent authority at a later date.
3. Right to rectification
The Data Subject may indicate that the processed data is inaccurate and request that it be replaced. The Data Controller is responsible for the accuracy of the data, so it is necessary to check its accuracy from time to time.
4. Right to restriction of processing
The Data Subject may request the Data Controller to restrict the processing of their personal data, for example in an unclear, disputed situation. If data processing is restricted, such personal data may be processed, with the exception of storage, only with the consent of the Data Subject, or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
5. Right to data portability
The Data Subject may request to receive the data processed concerning him or her in a structured, commonly used and machine-readable format (e.g. .doc, .pdf, etc.) and has the right to transmit those data to another controller without hindrance from the original controller. This makes it easier for the data subject to transfer their personal data from one data controller to another.
6. Right to object
The Data Subject has the right to object at any time to the processing of their personal data for specific reasons, if they have not given their consent to the processing of their data.
VIII. Legal remedy
If the Data Subject wishes to exercise his or her rights, this involves identification, and the Data Controller must communicate with the Data Subject as necessary. Therefore, personal data will need to be provided for identification purposes (but identification may only be based on data that is otherwise processed), and complaints regarding data processing will be available in our email account within the time period specified in this notice. Complaints related to data processing will be responded to by the Data Controller without delay, but no later than within 30 days.
The Data Subject is also entitled to lodge a complaint with the NAIH (1055 Budapest, Falk Miksa u. 9-11.; www.naih.hu, Telephone: +36 (1) 391-1400, Fax: +36 (1) 391-1410, E-mail: ugyfelszolgalat@naih.hu) or to enforce their rights relating to the processing of personal data before the court having jurisdiction and competence under Act CXXX of 2016 on Civil Procedure.
IX. Final provisions
If the Data Controller wishes to process personal data for purposes other than those specified in this notice, it shall inform the Data Subject of the new purpose of the data processing prior to such further processing. Data processing for the new purpose may only commence thereafter – if the legal basis for data processing is consent – if the Data Subject also consents to the data processing in addition to the information provided.
By accepting this Data Processing Notice, Customers declare and guarantee that they have the appropriate legal basis for the processing of customer data containing personal data entered into the System, and that the processing of customer data is always carried out in accordance with the relevant domestic and Community legal provisions. The Data Controller operating the System shall not be liable for the Customer's data processing practices or for the legal basis on which the Customer has obtained the personal data entered into the System.
By accepting this Data Processing Notice, the Data Subjects declare that they have read and accepted the provisions and information contained therein and give their consent to the processing of their data.
The Data Processing Notice is valid until revoked and applies to all organizational units of the Data Controller, data processors, employees, officers, and those in a contractual relationship with them.
The Data Management Policy shall be reviewed annually or in the event of changes in EU or domestic legislation.
The Data Controller reserves the right to amend this policy and to modify it accordingly in the event of changes in European Union or Hungarian legislation.
This Data Processing Notice is valid and effective from August 1, 2025. |