Data controller details:

Company name: Szlezsuk Róbert e.v.
Registered office: 1137 Budapest, Szent István krt. 18.
Tax number: 59272159-1-41
Registration number: 57285447
Website: https://office.massageservice.hu/
E-mail address: info@massageservice.hu
Phone number: +36 20 460 7990

Acting authority:
National Data Protection and Freedom of Information Authority
Postal address: 1530 Budapest, P.O. Box: 5.
Address: 1125 Budapest Szilágyi Erzsébet fasor 22/c
Telephone: +36 1 391 1400
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

1. The purpose of these regulations is:

Masszőr Futár Kft., as the data controller, recognizes the content of this legal notice as binding on itself.
The data controller, in compliance with the applicable laws and regulations, ensures the correct handling, storage, protection, use and deletion of personal data that it acquires while exercising its data controller and processing activities.
The data controller expressly declares that its data processing complies with this policy and with the national and EU laws and EU legal acts in force at all times.
The data controller may modify this data protection statement at any time, but will always notify the data subjects in a timely manner.
The data controller considers it particularly important to respect its customers’ right to informational self-determination and to protect its customers’ personal data, so it always handles its customers’ personal data confidentially and with the highest possible degree of care, and takes all security, technical and organizational measures that guarantee the security of the data.
The data controller accepts any questions regarding this data protection statement at the following address: info@massageservice.hu

2. Legal aspects:

The Data Controller acknowledges the following laws and recommendations regarding data management as binding on itself:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016)
  – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation, GDPR)
• Act CXII of 2011 – on the right to informational self-determination and freedom of information (Infotv.)
• Act V of 2013 – on the Civil Code (Ptk.)
• Act CLV of 1997 – on consumer protection (Fgytv.)
• Act XIX of 1998 – on criminal procedure (Be.)
• Act C of 2000 – on accounting (Számv. tv.)
• Act CVIII of 2001 Act – on certain issues of electronic commerce services and services related to the information society (Eker. tv.)
• Act C of 2003 – on electronic communications (Eht.)
• Act XLVIII of 2008 – on the basic conditions and certain limitations of economic advertising activity (Grt.)
• Act XXXVII of 2009 – on forests, forest protection and forestry (Evt.)
• Act CCXXXVII of 2013 – on credit institutions and financial enterprises (Hpt.)
• Act XC of 2017 – on criminal procedure (Be.)
• Act CLXIV of 2005 – on trade (Kertv.)
• 19/2014. (IV. 29.) NGM Decree – on the procedural rules for handling warranty and guarantee claims regarding things sold under a contract between a consumer and a business (Szav. r.)

When developing its data management processes and records, the company took into account the relevant elements of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information and Regulation 2016/679 of the European Parliament and of the Council (GDPR).

3. Scope of personal data processed by the data controller and the purpose of data processing:

Scope of personal data: transaction number, date and time, content of the receipt, name, address and tax number in the case of an invoice, name, quantity, purchase price and payment method of the purchased services. Purpose of data management: In accordance with the Information Act and other relevant legislation, only the personal data absolutely necessary for the processing of individual appointment bookings, invoicing and sending out subsequent marketing materials, and for the development of the user experience are processed.
Providing personal data on the Data Controller’s website is always voluntary.
By making an appointment request, the User accepts this data protection policy and consents to the Data Controller storing, managing and using the data provided by him for the purpose and for the period determined by the nature of the service. The User assumes absolute responsibility for having completed the registration voluntarily and with adequate information.

4. Legal basis for data processing:

The data processing is necessary for the performance of the contract [Article 6 (1) (b) of the GDPR], or Article 6 (1) (c) of the GDPR, namely the data processing is necessary for the performance of a legal obligation to the data controller, with regard to Section 169 (2) of the Accounting Act. The data processing activities of the data controller are based on the voluntary consent of the data subjects or on statutory authorization. In the case of data processing based on voluntary consent, the data subjects may withdraw this consent at any stage of the data processing. In certain cases, the processing, storage and transmission of a range of the data provided are mandatory by law.
The user consents to the Data Controller linking the processed data for the efficient operation of the system, for statistical or informational purposes. The user acknowledges that he gives his consent to the data controller sending him electronic advertising by electronic mail or an equivalent individual means of communication.

Duration of data management: eight years in accordance with Section 169 (2) of the Accounting Act.
In the case of card payments, the bank card and card payment transaction data are managed by Barion Payment Zrt. (1117 Budapest, Irinyi József utca 4-20. 2nd floor).
Possible consequences of failure to provide data: the customer may not receive a personal invoice.

Data transfer: in the case of payment by bank card, the payer’s ID, the amount, date, time of the transaction to Barion Payment Zrt. (1117 Budapest, Irinyi József utca 4-20. 2nd floor).
Legal basis for data transfer: data processing is necessary for the performance of the contract [GDPR Article 6 (1) (b)].

Data processors:
Billingo Technologies Zrt, 1133 Budapest, Árbóc utca 6, 1st floor (invoicing system operation)

Data transfer:
In the case of a taxable natural person (e.g. sole proprietor, primary agricultural producer), the data will be transferred to the National Tax and Customs Office (1054 Budapest, Széchenyi u. 2.):

• In the case of an invoice issued to a taxable person (Section 169 of the VAT Act): the tax number of the purchaser of the product or the recipient of the service, under which the sale of the product or the provision of the service was made as a taxable person liable to pay tax, or the tax number under which the intra-Community sale of the tax-exempt product was made to him, or the first eight digits of his tax number or, in the case of group VAT, the group identification number, under which the sale of the product or the provision of the service was made to him as a taxable person registered in Hungary, provided that the seller of the product or the provider of the service has established himself in Hungary for economic purposes, and in the absence of an establishment for economic purposes, his place of residence or usual place of residence in Hungary; the name and address of the recipient of the service; the date of issue of the invoice; the serial number of the invoice, which identifies the invoice without any doubt; the name of the product sold, its designation – at the choice of the person obliged to issue the invoice – the VAT code used in the VAT Act, and its quantity, or the name of the service provided, its designation – at the choice of the person obliged to issue the invoice – the TESZOR’15 used in the VAT Act, and its quantity, provided that it can be expressed in natural units of measurement; the date of performance, in the case of advance payment, the date of determination of the tax payable, if it differs from the date of issue of the invoice; in the case of the use of a financial representative, the name, address and tax number of the financial representative),
• in the case of a document considered to be an invoice (§ 170 of the VAT Act): the date of issue of the document; the serial number of the document, which identifies the document without any doubt; a reference to the invoice whose data content is modified by the document; the name of the invoice data affected by the modification, as well as the nature of the modification and its numerical effect.

In the case of a non-taxable natural person (private individual), the data will be forwarded to the National Tax and Customs Office (1054 Budapest, Széchenyi u. 2.):

• in the case of an invoice (§ 169 of the VAT Act): the date of issue of the invoice; the serial number of the invoice, which identifies the invoice without any doubt; the name of the product sold, the category number used in the VAT Act to designate it – at the choice of the person obliged to issue the invoice – and its quantity, or the name of the service provided, the TESZOR’15 used in the VAT Act to designate it – at the choice of the person obliged to issue the invoice – and its quantity, provided that it can be expressed in natural units of measurement; the date of performance, in the case of advance payment, the date of determination of the tax payable, if it differs from the date of issue of the invoice;
• in the case of a document considered to be an invoice (Section 170 of the VAT Act): the date of issue of the document; the serial number of the document, which identifies the document without any doubt; a reference to the invoice whose data content is modified by the document; the name of the invoice data affected by the modification, as well as the nature of the modification and its numerical effect.

Legal basis for the data transfer: the data processing is necessary for the fulfillment of a legal obligation to which the data controller is subject [GDPR Article 6 (1) (c)], pursuant to points 1, 2 and 4 of Annex 10 of the VAT Act.
Possible consequences of failure to provide data: the data controller cannot issue an invoice to the data subject.

5. Data security measures:

The data controller ensures the secure storage of data, complying with the technical and practical measures included in its information security policies. It establishes the procedures and controls necessary for protected data management, which can ensure that the data processed remains protected according to the criteria of confidentiality, integrity and availability, thus preventing any unauthorized access, alteration, destruction and external or internal data leakage.

The Data Controller ensures that only its authorized employees and the Data Processors used in the data processing have access to the processed data, and does everything within its capabilities to prevent unauthorized persons from disclosing, transmitting, modifying or deleting them. As a result, the processed data may only be accessed by the Data Controller, its employees and the Data Processors used by it, and it does not voluntarily disclose it to a third party or organization that is not authorized to do so under any circumstances.

The Data Controller will do everything in its power to ensure that the data is not damaged, modified, destroyed or made public due to accidental events caused by human error or lack of properly planned data management. The Data Controller also requires the above commitment from its employees involved in data management activities.

6. Rights and legal remedies related to data processing:

The User does not consent to the disclosure of his/her data. The User may at any time request information from the data controller about the processing of his/her personal data, and may request the correction of his/her personal data, or – with the exception of mandatory data processing – its deletion, withdrawal, and exercise his/her right to data portability and objection in the manner indicated when the data was collected, or at the above contact details of the data controller.
Upon withdrawal of data processing consent, the User’s data will be immediately deleted from the data controller’s database.

6.1. Right to information:
The Data Controller shall take appropriate measures during the processing of data to provide data subjects with all information referred to in Articles 13 and 14 of the GDPR and all information pursuant to Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language.

6.2. Right of access of the data subject:
The data subject has the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed and, if so, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; the intended storage period of the personal data; the right to rectification, erasure or restriction of processing and to object; the right to lodge a complaint with a supervisory authority; information on the sources of the data; the fact that automated decision-making is being carried out, as well as intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

The data controller shall provide the above-mentioned information within a maximum of one month from the date of submission of the request.

6.3. Right to rectification:
The data subject may request the rectification of inaccurate or incorrect personal data concerning him or her processed by the data controller and the completion of incomplete or inaccurate data.

6.4. Right to restriction of data processing:
At the request of the data subject, the data controller shall restrict data processing if one of the following conditions is met:

• The data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period which enables the accuracy of the personal data to be verified;
• The processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
• The controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
• The data subject has objected to the processing; in which case the restriction shall apply for a period of time, pending the verification of whether the legitimate grounds of the controller override those of the data subject.
• Where processing is subject to restriction, personal data may be processed, with the exception of storage, only with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interests of the Union or of a Member State.

6.5. Right to erasure:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, where:

• The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• The data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;
• The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• The personal data have been processed unlawfully;
• The personal data were collected in connection with the provision of information society services.
• The erasure of data cannot be requested if the processing is necessary: ​​for the exercise of the right to freedom of expression and information; for the performance of a task carried out in the context of an obligation to which the controller is subject under Union or Member State law.

6.6. Right to object:
The data subject shall have the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or for the purposes of the legitimate interests pursued by the controller or by a third party. In the event of an objection, the controller shall no longer process the personal data unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

6.7. Automated decision-making in individual cases, including profiling:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

6.8. Right of withdrawal:
The data subject has the right to withdraw their consent at any time.

6.9. Right to appeal to court:
The data subject may appeal to court against the data controller in the event of a violation of his or her rights. The court shall proceed with the case without delay.

6.10. Data protection authority procedure:
A complaint can be filed with the National Data Protection and Freedom of Information Authority:
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box: 5.
Telephone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

The submission of complaints and the procedure for their assessment are governed by the provisions of the Regulation and the Information Act, as well as those described on the NAIH website.