Privacy Policy

The purpose of this Privacy Notice (hereinafter: the “Privacy Notice”) is to describe, for all data processing activities of Lajos Zsom as data controller (hereinafter: the “Data Controller”), in particular for the personal data obtained through the website operated by him (drzsomlajos.hu, hereinafter: the “Website”), the data protection rules, procedures, and safeguards applied to personal data processed within the Data Controller’s organization.

I. Data Controller and Data Processors

1. Data Controller

Name: Dr. Lajos Zsom
Postal address: 6725 Szeged, Boldogasszony sgt. 42. 2/9, Hungary
E-mail address: contact@drzsomlajos.hu

2. Data Processors

2.1. IT service providers of the Data Controller

For the operation and maintenance of the Website, the Data Controller uses data processors who provide IT services and, for the duration of their contract with the Data Controller, process the personal data provided on the Website.

Company name: Tárhely.Eu Szolgáltató Kft.
Postal address: 1538 Budapest, Pf. 510., Hungary
Contact: support@tarhely.eu
Website: www.tarhely.eu

Company name: Kecskés Imre E.V.
Registered office: 6724 Szeged, Sík Sándor utca 3., Hungary
Contact: https://cwdstudio.hu/

Further IT data processors:

Company name: Google Ireland Limited (Google Meet services)
Role: Provision of services supporting the operation of the Website (Google Analytics, Google Fonts, Google Tag Manager) and online video communication (Google Meet)
Address: Gordon House, Barrow Street, Dublin 4, Ireland
Further information on data processing: https://policies.google.com/
Data transfer to third country: service provider certified under the EU–US Data Privacy Framework (DPF)

Company name: Meta Platforms Inc.
Role: Provision of Facebook and Instagram presence and communication, and technical services for advertising purposes (e.g. Facebook Pixel, messaging)
Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Further information on data processing: https://www.facebook.com/privacy
Data transfer to third country: Meta Platforms Inc. is certified under the Data Privacy Framework (DPF)

2.2 Service provider for accounting and payroll tasks

These data processors receive from our Office the personal data necessary for carrying out accounting and payroll duties.

Service provider:

Name: Angel Consulting Kft.
Registered office: 6722 Szeged, Tábor utca 7/B, Hungary
E-mail: konyveles@angelconsulting.hu

3. Definitions

Data processing:
Carrying out technical operations related to data processing activities, regardless of the method or device used for execution, and regardless of the location of application, provided that the technical operation is performed on the data.

Data Processor:
Any natural or legal person, or organization without legal personality, that processes data on the basis of a contract concluded with the Data Controller – including contracts concluded pursuant to statutory provisions.

Data processing (adatkezelés):
Any operation or set of operations performed on data, irrespective of the procedure applied; in particular, collection, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure or destruction, as well as preventing further use of the data, taking photographs, audio or video recordings, and the recording of any physical characteristics suitable for identifying a person (e.g. fingerprints, palm prints, DNA samples, iris images).

Data Controller:
Any natural or legal person, or organization without legal personality, which alone or jointly with others determines the purposes of the processing of data, and makes and executes decisions concerning data processing (including the means used), or has such decisions executed by a Data Processor.

Data transfer:
Making data available to a specified third party.

Data erasure:
Making data unrecognizable in such a way that their restoration is no longer possible.

Data blocking:
Marking data with an identification tag for the purpose of limiting its processing in the future, either permanently or for a specified period.

Cookie:
When the Data Subject visits the Website, a small file, a so-called cookie (hereinafter: “cookie”) is placed on their computer, which can serve various purposes. Some cookies are essential for the proper functioning of the Website (session cookies), while others collect information on the use of the Website (statistics) in order to make the Website more convenient and useful. Some cookies are only temporary and disappear when the browser is closed, while others are persistent and remain on the computer for a longer period.

Data Subject / User:
Any identified or, directly or indirectly, identifiable natural person on the basis of personal data.

Third party:
Any natural or legal person or organization without legal personality other than the Data Subject, the Data Controller, or the Data Processor.

Consent:
A freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them, in whole or in part.

Special categories of data:
Personal data revealing racial or ethnic origin, nationality, political opinions or party affiliation, religious or philosophical beliefs, trade union membership, sex life, personal data concerning health, addiction, or personal data relating to criminal convictions and offences.

Visitor:
A natural person who loads the Website (drzsomlajos.hu) in their browser.

Disclosure:
Making the data accessible to anyone.

Personal data:
Any information relating to an identified or identifiable Data Subject – in particular the Data Subject’s name, identification number, and one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity – as well as conclusions which can be drawn from the data concerning the Data Subject.

Objection:
A declaration by the Data Subject by which they object to the processing of their personal data and request the termination of data processing and/or the erasure of processed data.

II. Description of Data Processing Activities

4. Categories of Personal Data Processed

You may access and browse the Website without providing personal data; however, to browse the Website you must accept the cookie policy, and for newsletter subscription you must accept this Privacy Notice.

4.1. Communication data related to online enquiries

Category of Data Subjects:
Users who send any message to us via the Website, by e-mail, via social media messages, or by any other means of communication.

Legal basis for processing:
Voluntary consent of the Data Subject.

Purpose of processing:
To reply to the Data Subject’s enquiry; to send a quotation to the Data Subject; to respond to the Data Subject’s comments or any complaints; and to provide a basis for decisions in the event of potential legal claims.

Data processed:
Name, e-mail address, telephone number, message.

4.2. Customer and user data related to online orders

Category of Data Subjects:
Users who place an order through the Website, or users who register through the Website.

Legal basis for processing:
Performance of a contract.

Purpose of processing:
Fulfilment of the order and issuing the invoice.

Data processed:
Name, e-mail address, billing address, shipping address, telephone number, data of the purchased product.

4.3. Data related to online consultations

Category of Data Subjects:
Users who book an appointment for an online conversation via the Website.

Legal basis for processing:
Performance of a contract (GDPR Article 6(1)(b)).

Purpose of processing:
Arranging the time of the consultation, performing the service, and issuing the invoice.

Data processed:
Name, e-mail address, telephone number, billing data.

Note:
Any health-related information that may be mentioned during the consultation is not recorded, documented, or stored by the Data Controller. Due to the nature of the conversation, no health data processing takes place.

4.4. Data related to contractual relationships

Category of Data Subjects:
Natural and legal persons (and entities without legal personality) that enter into a service contract with the Data Controller.

Legal basis for processing:
Performance of a contract.

Purpose of processing:
Concluding the contract and performing the requested service.

Data processed:
Name, e-mail address, telephone number, billing address, mailing address, tax number, company registration number, date of conclusion of the contract.

4.5. Statistical and technical data

Category of Data Subjects:
Visitors to the Website.

Legal basis for processing:
Voluntary consent of the Data Subject.

Purpose of processing:
Analysis of user behaviour, maintaining the secure operation of the Website, and understanding the effectiveness of marketing decisions.

Data processed:
IP address, login information, browser data, time spent on each page, page views and navigation paths, number and date/time of visits, time zones, and device data used to access the Website.

4.6. Marketing data related to advertising

Category of Data Subjects:
Visitors, and Data Subjects who have purchased a product or used a service from the Data Controller.

Legal basis for processing:
Voluntary consent of the Data Subject.

Purpose of processing:
Providing relevant advertisements on the Facebook™ platform and across various dynamic advertising surfaces, and measuring the effectiveness of advertisements.

Data processed:
IP address, name, e-mail address.

The Data Controller does not process special categories of data (in particular, health data) in the course of its activities. Any health-related information that may be mentioned during the online consultation is not recorded or stored.

5. Further Information on Data Processing

5.1. Methods of data collection

The Data Controller may collect personal data in the following ways:

• The User provides them directly (for example, by placing an order or sending a message).
• Certain data are collected automatically during use of the Website, for example through so-called “cookies” and similar technologies. These are only activated after the User has given consent. For more details, please consult our Cookie Notice.
• Certain data are received from external partners, such as analytics service providers like Google (partner outside the EU), advertising networks such as Facebook™ (partner outside the EU), and payment service providers.

5.2. Retention period of data processing

The Data Controller stores the personal data of Users only for as long as required by legal/accounting/reporting obligations or as necessary for the operation of the service.

For tax purposes, billing and purchase data of customers must be retained for at least 8 years.

Under certain circumstances, the Data Controller may use data in anonymized form for statistical purposes, in which case such data may be stored indefinitely without further notice.

The Data Subject may withdraw their consent to data processing at any time by sending an e-mail or postal letter to the contact details of the Data Controller given above. Notwithstanding the withdrawal of consent, certain data may still be processed by the Data Controller for the period necessary to comply with legal obligations or to enforce its legitimate interests.

5.3. General data processing principles

In each of the processing activities listed in Section 4 and its sub-sections, the Data Controller processes personal data strictly in accordance with the purposes and legal bases specified therein and the laws listed in Section 5.4.

Personal data are processed in all cases on the basis of legitimate interest, legal obligation, or the voluntary consent of the Data Subject. The Data Subject may withdraw their consent at any time.

In certain cases, pursuant to statutory obligations, the Data Controller is required to process, transfer, or store certain personal data in a manner different from that described in this Privacy Notice. In such cases, the Data Controller shall inform the Data Subjects, where permitted and not expressly prohibited by the relevant legislation.

5.4. Applicable data protection legislation

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)
• Act V of 2013 on the Civil Code (Hungary)
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.)
• Act CVIII of 2001 on certain issues of electronic commerce services and information society services (in particular Section 13/A)
• Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (in particular Section 6)
• Act XC of 2005 on Electronic Freedom of Information
• Act C of 2003 on Electronic Communications (in particular Section 155)
• Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising

III. Data Transfers, Data Processing, and Parties with Access to Data

6. Parties with access to data

The Data Controller grants access to the processed data only to those persons whose work under an employment relationship or other legal relationship directly requires access for the purpose of fulfilling the data processing activities.

In addition to the Data Controller’s organization, only the Data Processors listed in Section I, point 2 may have access to the personal data provided by you.

IV. Data Security

7. Data Security

The Data Controller takes all reasonably expected measures to protect your personal data. Certain data are stored in encrypted form, and other data are only accessible after identification even by the Data Controller. Data are stored on several independent devices, and services of several separate companies and organizations are used.

To protect the data generated and collected on the Website, the Data Controller uses an SSL certificate, and to protect the Website against attacks, a premium security software solution is applied.

Access to personal data is strictly limited to persons whose tasks may relate to such data and to authorized third parties to the extent necessary for their tasks; these persons are bound by confidentiality and obligations regarding the confidential handling of personal data. These tasks and any external data processing are always recorded in the relevant current contracts.

V. Your Rights in Relation to Data Processing

8. Your Rights in Relation to Data Processing

The Data Subject may request information on the processing of their personal data, and may request the rectification, and – with the exception of mandatory data processing – the erasure or withdrawal of their personal data. The Data Subject may exercise their right to data portability and their right to object in the manner indicated at the time of data collection, or via the contact details of the Data Controller given above.

8.1. Right to be informed

The Data Controller shall take appropriate measures to provide the Data Subjects with all information referred to in Articles 13 and 14 of the GDPR and all notifications referred to in Articles 15–22 and 34 relating to processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

8.2. Right of access

The Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information: the purposes of processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organizations; the envisaged period for which the personal data will be stored; the right to rectification, erasure or restriction of processing and the right to object; the right to lodge a complaint with a supervisory authority; information as to the source of the data; the existence of automated decision-making, including profiling, and meaningful information about the logic involved and the significance and envisaged consequences of such processing for the Data Subject. The Data Controller shall provide the information within one month of receipt of the request at the latest.

8.3. Right to rectification

The Data Subject may request the rectification of inaccurate personal data concerning them and the completion of incomplete data processed by the Data Controller.

8.4. Right to erasure (“right to be forgotten”)

The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the Data Subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
• the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
• the personal data have been collected in relation to the offer of information society services.

Erasure cannot be requested where processing is necessary:

• for the establishment, exercise, or defence of legal claims.st, scientific or historical research purposes, or statistical purposes; or
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or

8.5. Right to restriction of processing

The Data Subject has the right to obtain from the Data Controller restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
• the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the Data Controller no longer needs the personal data for the purposes of processing, but they are required by the Data Subject for the establishment, exercise, or defence of legal claims; or
• the Data Subject has objected to processing; in this case, the restriction applies for the period until it is verified whether the legitimate grounds of the Data Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent, or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the Union or of a Member State.

8.6. Right to data portability

The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller.

8.7. Right to object

The Data Subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the purposes of the legitimate interests pursued by the Data Controller or by a third party, including profiling based on those provisions. In such a case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defence of legal claims.

8.8. Automated individual decision-making, including profiling

The Data Subject has the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning them or similarly significantly affects them.

8.9. Right to withdraw consent

The Data Subject has the right to withdraw consent at any time

8.10. Right to seek judicial remedy

In the event of a violation of their rights, the Data Subject may bring an action before a court against the Data Controller. Before initiating court proceedings, however, the User must first request the Data Controller, by using one of the contact details listed in Section 1, to fulfil the requirements, clearly specifying the alleged infringement.

8.11. Right to lodge a complaint with a supervisory authority

The Data Subject may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):

Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Registered office: 1055 Budapest, Falk Miksa utca 9–11., Hungary
Postal address: 1363 Budapest, Pf. 9., Hungary
Tel.: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

VI. Other Provisions

9, Marketing communication

Under the EU’s Privacy and Electronic Communications Regulations (PECR), the Data Controller may send marketing communications to Users if they have explicitly consented to receiving marketing messages.

The Data Controller always ensures that the suspension of consent and unsubscribing from such messages is clearly and easily accessible. Each e-mail contains a link at the bottom for unsubscribing, or removal from the database may be requested via any of the contact details listed in Section 1.

Even after unsubscribing from marketing communications, the Data Controller may still send messages related to the fulfilment of orders.

10. Links to other websites

This Website may contain links to external websites, or embedded code snippets that enable the operation of external services.

By clicking these links or using embedded solutions, external partners may be able to collect data about Users.

The Data Controller has no control over these websites and cannot be held responsible for their content or for their personal data processing practices. For the security of your personal data, you are advised to read the privacy policies and data protection statements of any websites you access through links on this Website.

11. Cookie management

For more information about the management of cookies, please refer to the Cookie Notice available on the Website.

12. Cooperation with authorities

In the event of requests from authorities or other organizations based on legal obligations, the Data Controller may be obliged to disclose data. In such cases, the Data Controller endeavours to disclose only such personal data, and only to the extent, that is strictly necessary in view of the data disclosure obligation.

13. Amendments to this Notice

The Owner reserves the right to unilaterally amend this Privacy Notice. If the Owner amends this page on the basis of its own decision or due to legal requirements, the amendment will be published – updated – on the Website, and the modification shall be effective and automatically applicable from the date of publication. Therefore, we kindly draw your attention to the importance of reading the latest version of this Notice available on the Website.