Gergely Gábor PAPP (7635 Pécs, Nagyszkókói út 36.) (hereinafter: Service Provider, controller) submits to the following policy:
Pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EK (General Data Protection Regulation), we provide the following information.
This privacy policy governs the data processing of the following pages: doctor-to-be.org
Name: Gergely Gábor PAPP
Registered office: 7635 Pécs, Nagyszkókói út 36.
E-mail: info kukac doctor-to-be.org
1. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. “processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may also be provided for by Union or Member State law;
4. “processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. “recipient”: a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether or not it is a third party. Public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities must comply with the applicable data protection rules according to the purposes of the processing;
6. “consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.
Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
b) collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) shall not be considered incompatible with the initial purposes (“purpose limitation”);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay (“accuracy”);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods only insofar as the personal data will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject also to the implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
The controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).
The controller declares that its processing is carried out in accordance with the principles set out in this section.
1. Pursuant to Section 6 of the 2008. évi XLVIII. törvény on the basic conditions and certain restrictions of commercial advertising activities, the User may give prior and explicit consent for the Service Provider to contact them at the contact details provided at registration with advertising offers and other communications.
2. Furthermore, with due regard to the provisions of this notice, the Client may consent to the Service Provider processing the personal data necessary for sending advertising offers.
3. The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers free of charge, without restriction or justification. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User may unsubscribe from advertisements by clicking the link in the message.
4. The fact of data collection, the scope of the processed data and the purpose of data processing:
| Personal data | Purpose of data processing |
| Name, e-mail address. | Identification, enabling subscription to the newsletter. |
| Region | Providing thematic messages based on location. |
| Time of subscription | Performing a technical operation. |
| IP address at the time of subscription | Performing a technical operation. |
5. Scope of data subjects: all data subjects subscribing to the newsletter.
6. Purpose of data processing: sending electronic messages containing advertisements (e-mail, SMS, push message) to the data subject, providing information about current information, products, promotions, new features, etc.
7. Duration of data processing, deadline for deletion of data: data processing lasts until the withdrawal of the consent declaration, i.e. until unsubscribing.
8. Persons of possible controllers authorized to access the data, recipients of personal data: Personal data may be processed by the controller's sales and marketing staff, in compliance with the above principles.
9. Description of the rights of data subjects in relation to data processing:
10. The data subject may initiate access to, erasure, modification or restriction of processing of personal data, data portability, or objection in the following ways:
– by post
– by e-mail.
11. The data subject may unsubscribe from the newsletter at any time, free of charge.
12. Legal basis for data processing: the data subject's consent, Article 6(1)(a) and (f), and Section 6(5) of the 2008. évi XLVIII. törvény on the basic conditions and certain restrictions of commercial advertising activities:
The advertiser, the advertising service provider and the publisher of the advertisement shall keep records of the personal data of persons who have made a consent declaration to them, within the scope specified in the consent. The data recorded in this register concerning the recipient of the advertisement may be processed only in accordance with the consent declaration until its withdrawal, and may be transferred to a third party only with the prior consent of the data subject.
13. Please be informed that
1. The fact of data collection, the scope of the processed data and the purposes of data processing:
| Personal data | Purpose of data processing |
| Family name, first name | Identification. |
| E-mail address | Contact, sending system messages. |
| Time of registration | Performing a technical operation. |
| IP address of registration | Performing a technical operation. |
In the case of the e-mail address, it does not need to contain personal data.
2. Scope of data subjects: all data subjects registered on the website.
3. Duration of data processing, deadline for deletion of data: Data processing lasts until the end of the event, unless the registered person decides otherwise.
4. Persons of possible controllers authorized to access the data, recipients of personal data: Personal data may be processed by the controller's staff authorized for this purpose, based on the provisions of this notice.
5. Description of the rights of data subjects in relation to data processing:
– The data subject may request from the controller access to the personal data concerning them, rectification, erasure or restriction of processing of such data, and
– the data subject has the right to data portability and to withdraw consent at any time.
6. The data subject may initiate access to, erasure, modification or restriction of processing of personal data, and data portability in the following ways: by post or by e-mail.
7. Legal basis for data processing: Article 6(1)(a) and (b).
8. Please be informed that
– the data processing is based on your consent and is necessary in order to take steps at your request prior to entering into a contract.
– you are required to provide the personal data so that we can register you for the event.
– failure to provide the data will have the consequence that you cannot attend the event.
1. The fact of data collection, the scope of the processed data and the purpose of data processing:
| Personal data | Purpose of data processing |
| Name | Identification |
| E-mail address | Contact, sending reply messages |
| Content of the message | Necessary for responding |
| Time of contact | Performing a technical operation. |
| IP address at the time of contact | Performing a technical operation. |
In the case of the e-mail address, it does not need to contain personal data.
2. Scope of data subjects: All data subjects sending a message through the contact form.
3. Duration of data processing, deadline for deletion of data: If any of the conditions set out in Article 17(1) of the GDPR applies, it lasts until the data subject's request for erasure.
4. Persons of possible controllers authorized to access the data, recipients of personal data: Personal data may be processed by the controller's staff authorized for this purpose.
5. Description of the rights of data subjects in relation to data processing:
The data subject may request from the controller access to the personal data concerning them, rectification, erasure or restriction of processing of such data, and the data subject has the right to data portability and to withdraw consent at any time.
6. The data subject may initiate access to, erasure, modification or restriction of processing of personal data, and data portability in the following ways: by post or by e-mail.
7. Legal basis for data processing: the data subject's consent, Article 6(1)(a), (b) and (c). If you contact us, you consent to the processing of the personal data (name, e-mail address) that came into our possession during the contact process in accordance with this policy.
8. Please be informed that
1. The fact of data collection, the scope of the processed data and the purpose of data processing:
| Personal data | Purpose of data processing |
| Name, e-mail address, telephone number. | Contact, identification, performance of contracts, business purpose. |
2. Scope of data subjects: All data subjects who maintain contact with the controller by telephone/e-mail/in person, or who have a contractual relationship with the controller.
3. Duration of data processing, deadline for deletion of data: Letters containing inquiries are retained until the data subject's request for erasure, but for a maximum of 2 years.
4. Persons of possible controllers authorized to access the data, recipients of personal data: Personal data may be processed by the controller's authorized staff, in compliance with the above principles.
5. Description of the rights of data subjects in relation to data processing:
The data subject may request from the controller access to the personal data concerning them, rectification, erasure or restriction of processing of such data, and the data subject has the right to data portability and to withdraw consent at any time.
6. The data subject may initiate access to, erasure, modification or restriction of processing of personal data, and data portability in the following ways: by post or by e-mail.
7. Legal basis for data processing:
7.1. Article 6(1)(b) and (c) of the GDPR.
7.2. In the case of enforcing claims arising from a contract, 5 years pursuant to Section 6:21 of the 2013. évi V. törvény on the Civil Code.
6:22. § [Limitation period]
(1) Unless this Act provides otherwise, claims shall become time-barred after five years. (2) The limitation period begins when the claim becomes due.
(3) An agreement aimed at changing the limitation period must be made in writing. (4) An agreement excluding limitation is null and void.
8. Please be informed that
“recipient”: a natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not it is a third party.
The controller uses data processors to support its own processing activities and to fulfil its contractual obligations toward the data subject, as well as its obligations imposed by law.
The controller places great emphasis on using only data processors that provide sufficient guarantees for implementing appropriate technical and organisational measures to ensure compliance with the requirements for processing set out in the GDPR and the protection of the rights of data subjects.
The data processor and any person acting under the authority of the controller or the processor who has access to personal data shall process the personal data covered by this policy only in accordance with the controller’s instructions.
The controller bears legal responsibility for the activities of the data processor. The data processor is liable for damage caused by processing only if it has failed to comply with the obligations specifically imposed on processors under the GDPR, or if it has disregarded or acted contrary to the lawful instructions of the controller.
The data processor has no substantive decision-making authority regarding the processing of data.
The controller may use a hosting service provider to provide the IT infrastructure and a courier service to deliver ordered products, acting as data processors.
| DATA PROCESSING ACTIVITY | NAME | ADDRESS, CONTACT DETAILS |
| Technical operation | ACTIVE VISION Kft. | 1124 Budapest, Tamási Áron utca 59. (cégjegyzékszám: 01-09-867103, adószám: 13669328-2-43, e-mail: support@active.hu) |
| Hosting service | Hostinger International Ltd | 61 Lordou Vironos str., 6023 Larnaca, Ciprus (e-mail: gdpr@hostinger.com) |
| Domain and DNS service | Cloudflare, Inc. | 101 Townsend Street, San Francisco, CA 94107, USA |
| Web analytics (Google Analytics) | Google LLC | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
For detailed information on how this website uses cookies, please see the Cookie Policy.
1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files stored on your computer, which help analyze the use of the website visited by the User.
2. The information generated by cookies in relation to the website used by the User is usually transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google will first shorten the User’s IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area.
3. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate how the User used the website, to prepare reports for the website operator on website activity, and to provide further services related to website and internet use.
4. The IP address transmitted by the User’s browser within the framework of Google Analytics will not be merged with other Google data. The User may prevent the storage of cookies by selecting the appropriate settings in their browser; however, please note that in this case it may occur that not all functions of this website will be fully usable. The User may also prevent Google from collecting and processing the data generated by cookies and related to the User’s website use (including the IP address) by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu
1. The Facebook Pixel is a code that enables reports on conversions to be created on the website, target audiences to be compiled, and the owner of the site to receive detailed analytical data on visitors’ use of the website. With the help of the Facebook remarketing pixel tracking code, personalized offers and advertisements may be displayed to website visitors on the Facebook platform. The Facebook remarketing list is not suitable for personal identification. Further information about the Facebook Pixel / Facebook pixel can be found here: https://www.facebook.com/business/help/651294705016616
1. The fact of data collection and the scope of the processed data: the name registered on Facebook / Twitter/ Pinterest / Youtube / Instagram etc. social media sites, and the user’s public profile picture.
2. The data subjects concerned: All data subjects who are registered on Facebook / Twitter / Pinterest / Youtube / Instagram etc. social media sites and have “liked” the Service Provider’s social media page, or contacted the controller through the social media site.
3. Purpose of data collection: Sharing, “liking”, following, and promoting certain content elements, products, promotions of the website, or the website itself on social media sites.
4. Duration of data processing, deadline for deletion of data, the possible controllers entitled to access the data, and description of the data subjects’ rights related to data processing: The data subject may obtain information on the source of the data, its processing, and the method and legal basis of transfer on the relevant social media site. Data processing takes place on social media sites; therefore, the rules of the relevant social media site apply to the duration and method of processing, as well as to the possibilities for deleting and modifying the data.
5. Legal basis of data processing: the data subject’s voluntary consent to the processing of their personal data on social media sites.
1. If, during the use of the controller’s services, the data subject has any questions or possibly encounters a problem, they may contact the controller through the methods provided on the website (telephone, e-mail, social media sites, etc.).
2. The Controller deletes incoming e-mails, messages, and data provided by telephone, on Facebook, etc., together with the enquirer’s name and e-mail address and any other personal data voluntarily provided, no later than 2 years after the data disclosure.
3. Information on data processing operations not listed in this notice will be provided at the time the data are collected.
4. In the event of an exceptional request from an authority, or a request from other bodies based on statutory authorization, the Service Provider is obliged to provide information, disclose and transfer data, and make documents available.
5. In such cases, the Service Provider will disclose personal data to the requesting party, provided that the exact purpose and scope of the data have been specified, only to the extent and in the amount that is strictly necessary to achieve the purpose of the request.
1. Right of access
You have the right to obtain confirmation from the data controller as to whether your personal data are being processed and, where such processing is taking place, you have the right to access the personal data and the information listed in the Regulation.
2. Right to rectification
You have the right to have inaccurate personal data concerning you rectified by the data controller without undue delay at your request. Taking into account the purpose of the processing, you have the right to request that incomplete personal data be completed, including by means of a supplementary statement.
3. Right to erasure
You have the right to have personal data concerning you erased by the data controller without undue delay at your request, and the data controller is obliged to erase personal data concerning you without undue delay where specific conditions apply.
4. Right to be forgotten
Where the data controller has made the personal data public and is obliged to erase them, taking account of available technology and the cost of implementation, it shall take reasonable steps, including technical measures, to inform controllers processing the data that you have requested the erasure of any links to, or copies or replications of, the personal data in question.
5. Right to restriction of processing
You have the right to request that the data controller restrict processing where one of the following conditions is met:
6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to a data controller in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data were provided (…)
7. Right to object
In the case of processing based on legitimate interest or on the exercise of official authority as legal bases, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data (…), including profiling based on those provisions.
8. Objection to direct marketing
Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling to the extent that it is related to such direct marketing. If you object to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning you or similarly significantly affect you.
The preceding paragraph shall not apply where the decision:
The data controller shall inform you of the action taken on the above requests without undue delay and in any event within 1 month of receipt of the request.
Where necessary, this may be extended by 2 months. The data controller shall inform you of any such extension within 1 month of receipt of the request, stating the reasons for the delay.
If the data controller does not take action on your request, it shall inform you without delay, and at the latest within one month of receipt of the request of the reasons for not taking action, as well as of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk, including, among others, where appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used for processing personal data;
c) the ability to restore access to personal data and the availability of the data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures taken to ensure the security of processing.
e) The processed data must be stored in such a way that unauthorised persons cannot access them. In the case of paper-based data media, this shall be ensured by establishing rules for physical storage and archiving; in the case of data processed electronically, by applying a central access rights management system.
f) The method of storing data by IT means must be chosen so that their erasure can be carried out when the data erasure deadline expires, including with regard to any potentially different erasure deadline, or if otherwise necessary. Erasure must be irreversible.
g) Paper-based data media must be stripped of personal data with the aid of a document shredder or by using an external organisation specialising in document destruction. In the case of electronic data media, physical destruction must be ensured in accordance with the rules governing the disposal of electronic data media, and, where necessary, secure and irreversible erasure of the data must be carried out beforehand.
h) The data controller takes the following specific data security measures:
a. For the security of personal data processed on paper, the Service Provider applies the following measures (physical protection):
i. Documents shall be stored in a secure, dry room that can be properly locked.
ii. The Service Provider's building and premises are equipped with fire protection and property security equipment.
iii. Personal data may be accessed only by persons authorised to do so; third parties may not access them.
iv. The Service Provider's employee performing data processing may leave the room where data processing is taking place during work only after locking away the data media entrusted to them or locking the given room.
v. If personal data processed on paper are digitised, the rules applicable to digitally stored documents must be applied.
b. IT protection
i. The computers and mobile devices (other data media) used during data processing are owned by the Service Provider.
ii. The data stored on the computers can be accessed only with a username and password.
iii. The central server machine may be accessed only with appropriate authorisation and only by the persons designated for that purpose.
iv. To ensure the security of digitally stored data, the Service Provider uses backups and archiving.
v. The computer system used by the Service Provider and containing personal data is equipped with virus protection.
vi. SSL encryption on the website.
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the personal data breach without undue delay.
The information provided to the data subject must clearly and in plain language describe the nature of the personal data breach and provide the name and contact details of the data protection officer or other contact point providing further information; it must describe the likely consequences resulting from the personal data breach; it must describe the measures taken or proposed by the data controller to remedy the personal data breach, including, where applicable, measures to mitigate any possible adverse consequences resulting from the personal data breach.
The data subject does not need to be informed if any of the following conditions is met:
If the data controller has not yet informed the data subject of the personal data breach, the supervisory authority, after considering whether the personal data breach is likely to result in a high risk, may order that the data subject be informed.
The data controller shall notify the supervisory authority competent under Article 55 of the personal data breach without undue delay and, where feasible, no later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it must be accompanied by the reasons justifying the delay.
If the duration of mandatory data processing, or the periodic review of its necessity, is not determined by law, by a local government decree, or by a binding legal act of the European Union, the controller shall review, at least every three years from the start of data processing, whether the processing of personal data processed by it, or by a processor acting on its behalf or on the basis of its instructions, is necessary for achieving the purpose of the data processing.
The controller shall document the circumstances and outcome of this review, retain this documentation for ten years following completion of the review and make it available to the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: Authority) at the Authority’s request.
A complaint concerning any infringement by the controller may be lodged with the Hungarian National Authority for Data Protection and Freedom of Information:
Hungarian National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Post Office Box: 5.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
In preparing this notice, we took the following legislation into account:
