DATA PROTECTION STATEMENT OF FOTONATURA LTD. 

  1. Controller 

Name: FOTONATURA Ltd. 

Address: 6769 Pusztaszer, Mező Str 2/B, Hungary 

Data controller’s representative: Bence Máté  

Data controller’s contact re. data protection: office@matebence.hu 

This statement is the controller’s unilateral commitment, based upon the European Parliament  and the Council (EU) as well as the relevant member states’ regulation No. 2016/679 of 27  April 2016.  

This statement may be unilaterally modified and/or revoked by the controller at any time, with  the simultaneous notification of the interested parties. The information is published on the  website, depending on the nature of the amendment, by direct notification of the interested  parties.  

2 Purpose of data management 

2.1. Contact with partners, customers, and suppliers 

User’s identification, their distinction from the other clients or interested parties;  communications; participation in events and related services, quotes, contracts, contact data  management.  

Legal basis of data management: Enforcement of data controller’s legitimate interest in  order to keep contact records for performance of contracts and agreements (Article 6 (1) f).  Scope of data processed: Name, address, e-mail address, phone number, unique identifier,  type of contact  

Planned deadline of processing: Until the last business day of the month of March of the  4th year following the termination of the partnership agreement or the objection of the  interested party 

Source of data: The interested party  

2.2 Management of request of offer  

Management and answering of questions, offers sent to the organization’s central email  address or the employee’s personal email address. Sending offers.  

Legal basis of data management: Enforcement of data controller’s legitimate interest  (Article 6 (1) f). It is the controller’s legitimate interest to keep records of communications  and contacts’ data prior to the agreement. 

Scope of data processed: Name, address, e-mail address, phone number, unique identifier Planned deadline of processing: Until the last business day of the month of March of the  2nd year from the receipt of offer or the objection of the interested party  Source of data: The interested party  

2.3 Issue of invoice and compulsory documentation related to the implementation  of services  

Issue of invoice and compulsory documentation related to the implementation of services Legal basis of data management: Controller’s compliance with legal obligations (Article 6 (1), c)

Scope of data processed: Billing name and address, e-mail address, contact name and  position  

Planned deadline of processing: At least 8 years 

Source of data: The interested party  

2.4 Management and filing of agreements  

Management and filing of agreements related to the controller’s activity; management and  keeping up-to-date the contracting party’s contact data; the contracting party’s authorized  representative’s data and updating them.  

Legal basis of data management: Controller’s compliance with legal obligations (Article 6  (1), f). Keeping records of the contact’s data is the controller’s legitimate interest.  Scope of data processed: Name, phone number, e-mail address, signature  Planned deadline of processing: Until the last business day of the month of March of the  4th year following the termination of the agreement or the objection of the interested party.  Source of data: The interested party  

2.5 Advertisement of servie(s), provision of information to partners, newletters Request for new or renewed services, direct business acquisitions and marketing for  advertising purposes, surveys, invitation to marketing events, eDM, phone calls involving  telemarketing services.  

Legal basis of data management: The interested party’s consent (Article 6 (1) a) Scope of data processed: Name, company name, e-mail, phone number  Planned deadline of processing: Until the withdrawal of the interested party’s consent  Source of data: The interested party  

2.6 Registration to events 

Management of events and registration related to the events organized by the controller.  Legal basis of data management: The interested party’s consent (Article 6 (1) a)  Scope of data processed: Name, company name, title, e-mail address, phone number  Number of adult guests, number of underage (under 16 years of age) guests  Planned deadline of processing: Until the withdrawal of the interested party’s consent Source of data: The interested party  

2.7 Event photos and videos, their publication in social media platforms The controller takes photos and videos of the events organized by them, which can be  published on the controller’s website and Facebook page, furthermore, they can be stored in  their own organizational databases.  

Legal basis of data management: Enforcement of the controller’s legitimate interest (Article 6 (1) f). The controller’s legitimate interest is the company’s personalized  communication on their own website and social media.  

Scope of data processed: face and body image 

Planned deadline of processing: Until the interested party’s objection  Source of data: The interested party  

2.8 Management and administration of orders  

Administration of orders until the conclusion of the contract or the circumvention of the order Legal basis of data management: Implementation of agreement (Article 6 (1) b) Scope of data processed: Name, address, e-mail address, phone number, unique identifier  Planned deadline of processing: Until the last business day of the month of March of the  4th year following the termination of the contract, or the objection of the interested party  Source of data: The interested party 

2.9. Delivery of orders 

Delivery by courier service, delivery to a courier service centre or delivery point.  Legal basis of data management: Implementation of contract (Article 6 (1) b)  Scope of data processed: Name, phone number, unique identifier  

Planned deadline of processing: Until the expiration of withdrawal time, following the  delivery  

Source of data: The interested party  

2.10 Operation of an electronic monitoring system  

Protection of the the security of controller’s premises, the controller’s property, their employees  and visitors’ health and property, investigation of circumstances of accidents and crimes that  may occur.  

Legal basis of data management: Enforcement of the controller’s legitimate interest  (Article 6 (1) f). The controller has a legitimate interest in managing the guests and employees’  personal data in order to protect its assets.  

Scope of data processed: The image of a natural person, motion picture recording  (hereinafter referred to as ‘recorded together’)  

Planned deadline of processing:1 week 

Source of data: The interested party  

2.11 Google Analytics  

It measures the figures of website use  

Legal basis of data management: Enforcement of the controller’s legitimate interest  (Article 6 (1) f). The controller has a legitimate interest in monitoring website use in order to  improve custormer satisfaction and service.  

Scope of data processed: The data transmitted are not suitable for the data subjects’  identification.  

Planned deadline of processing: Until the objection of the interested party  Source of data: The interested party  

2.12 Management of disclaimers  

The Controller enters into a liability agreement with its customers concerning the services  provided.  

Legal basis of data management: Fulfilment of agreement (Article 6 (1) b) Scope of data processed: Name, address, identifiable data  

Planned deadline of processing: Until the implementation of the agreement  Source of data: The interested party  

After the expiry of the deadline, the controller reclassifies it to the following data management  purpose:  

New purpose of data management: Enforcement of legal claims 

Planned deadline of processing: Until the general statute of limitation, but maximum the  last business day of the first month of March following the 4th year 

2.13 Acknowledgement of the Covid-19 rapid test results  

In order to protect the interested party or another natural person’s vital interests, a Covid-19  rapid test is made right before the use of service provided.  

Legal basis of data management: Fulfilment of agreement (Article 6 (1) b)  Scope of data processed: Name, Covid test result  

Planned deadline of processing: Until entering into contract  

Source of data: The interested party  

2.14 Ensuring IT business continuity and data backup 

Operation of IT systems and infrastructure, including operation of workstations and network  elements, archiving and saving data as well as restoring them in the event of an emergency.  Legal basis of data management: Enforcement of the controller’s legitimate interest  (Article 6 (1) f). – It is the controller’s legitimate interest to supervise, maintain, assemble,  troubleshoot, regularly save and archive IT systems in order to maintain business.  

Scope of data processed: All categories of digital data collected or managed by the  Organization  

Planned deadline of processing: The Organization saves the data of the IT system for 30  days, and archives the data until the last business day of the month of March of the 2nd year  following the backup.  

Source of data: The interested party  

2.15 Management of employee and customer data for legal and other claims  The controller shall retain the personal employees and customers’ personal data for the  purpose of asserting legal claims after the data has been provided during the general limitation  perior.  

Legal basis of data management: Enforcement of the controller’s legitimate interest  (Article 6 (1) f). The controller has a legitimate interest in addressinf the legal and other needs  of employees and customer data.  

Scope of data processed: During the period of employment and the duration of contract,  personal data managed according to individual data management purposes.  Planned deadline of processing: After the termination of the employment contract, no  later than the last business day of the first month of March, following the 2nd full year, or after  the termination of the customer agreement, no later than the last business day of the first  month of March following the 4th full year, or, in case of legal proceedings, 5 years after the  conclusion of the legal proceedings.  

Source of data: Reclassified from data collected for other data management purposes  

2.16 Data management related to the GDPR regulation  

Data management related to the GDPR regulation.  

Legal basis of data management: Enforcement of the controller’s legitimate interest  (Article 6 (1) c).  

Scope of data processed: Name, data protection identification, interested party’s request,  date, type, content, result of interested party’s request, incident’s date, documentation and  result  

Planned deadline of processing: Non-discardable  

Source of data: The interested party  

3 Consequence of failure to provide data  

Possible consequence of failure to provide data: Failure of the purpose of data management  

4 Persons affected 

The partners who have a contract with the controller and the contact persons provided by  them, as well as representatives of natural persons or legal entities who acquire or provide the  products of the Organization. 

5 Range of mandatory data 

The data controller does not mark the data that must be filled in separately on the individual  data entry interfaces, where all data is required to be entered. On interfaces where not all data is mandatory, the controller indicates the data fields that must be entered by displaying  an asterisk*.  

6 Children 

Our products and services are not intended for persons under the age of 18 and do not fall  under the scope of services related to the information society. Persons under the age of 18  are asked not to provide personal data to the data controller. Should we become aware that  we have collected personal data from a child under the age of 18, we will take the necessary  steps to delete the data as soon as possible.  

7 Information concerning the use of data processing 

The controller shall forward the data to the processor(s) contracted in order to implement the  contract during the processing.  

Categories of recipients: Authorities, social media sites, postal services, courier services Data processors: Newsletter supplier, event organizer, photo and video provider, hostess  provider, website operator, IT provider, property protection provider, legal consultant, GDPR  consultant  

8 Persons entitled to access the data 

The data controller shall not forward the data obtained to third parties, except for the data  processor(s) and recipients indicated in Article 7.  

8.1 Access to IT backup data 

The Controller stores IT backups separately for access control. The saved data can only be  accessed by the IT operations colleagues, who are subject to appropriate documentation  procedures. In case of restoration from a data backup, there is a documented procedure for  the review process of the data restored from the data backup prior to live use.  

8.2 Access to the data of video monitoring system 

The controller shall not forward the recordings to third parties, except for the asset protection  service provider specified in Article 7. Only the controller and data processor(s)’s designated  employees are entitled to view the recordings.  

The data protection officer and the managing director can access the recordings made by the electronic monitoring system. Upon request, the data subject may only access recordings made  of their person in the presence of one of the above-mentioned persons. In all cases, access  shall be requested in writing by the data protection officer.  

In each case, the controller shall prepare a record of the access, which will be stored by the  company for 1 year.  

8.3 Persons authorized to restrict images of an electronic monitoring system The limitation of recordings provided by electronic monitoring system may only be allowed in  cases where the controller has detected an event that could potentially jeopardize the objective  pursued by the electronic monitoring system.  

At the request of the party involved, the processing of recordings made of their own person  may be restricted. The party involved shall request the restriction in writing, at the Data  Protection Officer, indicating its purpose and expected duration.  

A record of each step of the restriction process is prepared by the controller, who shall store  it for a period of 1 year.  

8.4 Disclosure of data  

The controller shall not disclose the recordings of the electronic monitoring system. 

9 Management of data received from third parties 

If the User/Partner does not provide their own data to the controller, but another natural  person’s, the User/Partner is solely responsible for providing the data with the consent,  knowledge, and adequate information of this natural person. The controller is not liable to  examine their existence. The controller draws the User/Partner’s attention to the fact that  should they not comply with their obligation, which results in the data subject’s claim against  the controller, the controller may pass on the claim and the amount of the damage to the  User/Partner.  

10 Data transmission to a third country or international organization  The controller shall not forward the data subject’s personal data and recordings to third  countries or international organizations outside the European Economic Area.  

11 The rights of the involved party 

The involved party may ask the controller via the contacts highlighted in Article 1 to: provide access to a copy of their personal data managed by the controller, correct their data, 

  • provide information regarding the goals and legal basis of data management, erase their personal data and restriction of processing.  

The data subject may exercise their abovementioned right at any time, and they can address  to the controller at one of the contact addresses indicated in Article 1.  The involved party can request the transfer of their data to another controller where  the processing is based on a contractual or a contribution and is managed by the  Organization through an automated procedure.  

  • The involved party may specify the withdrawal of their contribution previously to the  processing of data.  

The controller shall, in exceptional cases, take care of or reject the notification within 1 month  of submission of the application, in exceptional cases, within a longer period of time, permitted  by the law. The involved party shall be informed in writing of the outcome of the investigation.  

11.1 The costs of information  

The Organization shall provide the measures and the necessary information free of charge for  the first time.  

If the involved party requests the same data for the second time within a month, which have  not changed during this time, the controller shall charge administrative costs.  The basis of the administrative costs is the hourly wage of the minimum wage as an  hourly rate.  

  • The number of working hours used for information shall be calculated as the first hourly  rate.  
  • Furthermore, in case of a paper-based information request, the printing cost of the  response at cost price and postal fees.  

11.2 Refusal of information 

Should the data subject’s request be clearly unfounded, they are not entitled to information,  or the organization, as a controller, is able to prove that the data subject has the requested  information, the controller will reject the request for information.  

If the data subject’s request is excessive due to its repetitive nature, the organization may  refuse to take action based on the request, if 

  • within one month, they submit an application related to the exercise of rights for the  3rd time, under Articles 15 – 22 in the same subject matter. 

11.3 Right to object 

The involved party may at any time object to the treatment of their personal data based on  the legal basis of legitimate interest or public authority.  

In this case, the Organization may no longer process the personal data, unless it proves that  the data processing is justified by compelling, legitimate reasons that take priority over the  interests, rights and freedom of the data subject, or they are related to the presentation,  enforcement or defence of legal claims.  

Should the objection be well-founded, the Organization shall terminate the processing of data  as soon as possible, including data transmission and further processing. It shall notify all the  objections that have been submitted by the involved party.  

Processing the request is free of charge, except for unfounded or excessive requests, which  may be charged a reasonable fee, corresponding to its administrative costs by the controller.  If the data subject does not agree with the decision made by the controller, they may apply  to the courts.  

12 Information on data security measures  

The controller manages the data in a closed system, based on the requirements of the  Information Security Policy. To this end, the controller applies appropriate technical and  organizational measures in order to:  

  • accurately regulate access to data, 
  • grant access only to individuals whose data is necessary for the purpose of carrying  out the task, and only to access the minimum data necessary for the fulfilment of the  task.  
  • carefully select the data processors commissioned and ensure the security of the data  by means of an appropriate data processing agreement, 
  • ensure the integrity, authenticity, and protection of the data processed (data integrity).  The controller applies reasonable physical, technical and organizational security measures in  order to protect data subjects, especially against the accidental, unauthorized or illegal  destruction, loss, alteration, transmission, use, access or processing of their data. The  controller shall immediately notify the data subject in the event of unauthorized access to or  use of personal data which might pose a high risk what the data subject is concerned.  

Should the transmission of the information be required, the controller shall ensure that the  data transmitted are adequately protected e.g., by encryption of the file. The controller is fully  responsible for data management by third parties.  

The controller shall also ensure adequate and regular security clearance to ensure that the  subjects’ data are protected against loss or destruction.  

13 Legal remedy  

Should the concerned party consider that 

  1. a) the controller restricts the enforcement of their rights or rejects their request for this  purpose, the National Data Protection and Freedom of Information Authority may  launch an investigation by notification in order to investigate the lawfulness of the  controller’s measures, 
  2. b) when processing personal data, the controller violates the legal requirements governing  the processing of personal data, 
  • they may apply for the official data protection procedure, conducted by the National  Data Protection and Freedom of Information Authority; furthermore, 
  • they can go to court against the controller, and if they choose, they can also launch a  lawsuit before the competent court, according to their place of residence. 

Contact details of the National Data Protection and Freedom of Information Authority:  

President: Attila Péterfalvi dr.  

Address: 1055 Budapest, Falk Miksa Street 9 – 11 

Postal address: 1363 Budapest, Pf. 9. 

Tel.: +36-1-3911400 

E-mail: ugyfelszolgalat@naih.hu 

www.naih.hu 

Budapest, 3 January 2023

Küldj üzenetet! / Send your message!

Booking - Media - Cooperation - Business

Not readable? Change text. captcha txt