Data management

https://kurzusok.endoblog.hu.

Privacy notice 

Date of entry into force: 23 February 2020.

1. INTRODUCTION

Nóra Árvai Individual Entrepreneur (registered office: 1138 Budapest Tomori köz 3.; entrepreneur registration number: 33254488; tax number: 66266053141) (hereinafter: "Data Controller"), as the Data Controller, acknowledges that it is bound by the contents of this Privacy Notice in the course of the services it provides on the https://endoblog.hu/ website, its subpages and otherwise.

A user who uses the services of the Data Controller (hereinafter referred to as "Contact") personal data of the Data Controller handles. The Data Controller undertakes to ensure that the processing of data relating to the services provided on the Website and otherwise complies with the applicable legislation and the requirements of this Privacy Notice. The Data Controller reserves the right to unilaterally amend this Policy. In this regard, it is recommended that you regularly visit the website https://endoblog.hu/ in order to keep track of any changes. The current content of this Notice can be consulted and downloaded at any time. If we have the e-mail address of the Data Subject, we will notify you of any changes by e-mail at your request.

Upon request, we will send a copy of the current version of the Notice to the Data Subject.

By providing the personal data concerned, the Data Subject declares that he or she has read and expressly accepted the version of this Notice in force at the time of providing the data.

The requirements set out in this Privacy Notice are in accordance with the applicable data protection legislation:

  • The Basic Law of Hungary (Freedom and Responsibility, Article VI);
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
  • Act V of 2013 on the Civil Code

1.1. Data Controller's data

Nóra Árvai Individual Entrepreneur 

Head office: 1138 Budapest Tomori köz 3.

Contractor registration number: 33254488

VAT number: 66266053141

The contact details of the Data Controller through which the Data Subject may exercise the rights set out in this Notice:

E-mail: contact@endoblog.hu

Website: https://endoblog.hu/

2. BASIC CONCEPTS OF DATA PROTECTION

2.1. Personal data:

Data that can be associated with any specific natural person (identified or identifiable) (hereinafter referred to as "data subject"), the inference that can be drawn from the data concerning the data subject. The personal data shall retain this quality during processing for as long as the link with the data subject can be established. In particular, a person shall be regarded as identifiable where he or she can be identified, directly or indirectly, by reference to a name, an identification mark or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;

2.2. Contribution:

A voluntary and explicit indication of the data subject's wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, either in full or in relation to specific operations;

2.3. Objection:

A declaration by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;

2.4. Data Controller:

The natural or legal person or unincorporated body which determines the purposes for which personal data are processed, takes and implements the decisions concerning the processing (including the means used) or has the processing carried out by a processor on its behalf;

2.5. Data Management:

Regardless of the process used, any operation or set of operations which is performed on personal data, such as collection, recording, recording, organisation, storage, alteration, use, disclosure, transmission, alignment or combination, blocking, erasure and destruction, and prevention of further use of the data;

2.6. Data transmission:

If the data is made available to a specified third party;

2.7. Disclosure:

If the data is made available to anyone;

2.8 Data deletion:

Making data unrecognisable in such a way that it is no longer possible to recover it;

2.9. Data retention:

Making it impossible to transmit, access, disclose, transform, alter, destroy, erase, interconnect or coordinate and use the data permanently or for a specified period;

2.10. Data destruction:

Complete physical destruction of the data or the medium containing the data;

2.11. Data processing:

Performing technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application;

2.12. Data Processor:

A natural or legal person or unincorporated body that processes personal data on behalf of the controller, including on the basis of a legal mandate;

2.13. Third person:

A natural or legal person or unincorporated body other than the data subject, the controller or the processor;

2.14. EEA State:

A Member State of the European Union and another State party to the Agreement on the European Economic Area, as well as a State whose nationals enjoy the same status as nationals of a State party to the Agreement on the European Economic Area under an international treaty concluded between the European Community and its Member States and a State not party to the Agreement on the European Economic Area;

2.15. Third country:

Any state that is not an EEA state.

3. DATA PROTECTION PRINCIPLES

Personal data:

  1. be lawful, fair and transparent for the data subject ("lawfulness, fairness and transparency");
  2. collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes ("purpose limitation") is not considered incompatible with the original purpose in accordance with Article 89(1) of the GDPR;
  3. be adequate and relevant for the purposes for which the data are processed and limited to what is necessary ("data minimisation");
  4. be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay ("accuracy");
  5. be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data will be processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures as provided for in this Regulation to safeguard the rights and freedoms of data subjects ('limited storage');
  6. be carried out in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage ("integrity and confidentiality"), by implementing appropriate technical or organisational measures.

The Controller is responsible for compliance with the above and must be able to demonstrate such compliance ("accountability"). The Controller does not collect personal data relating to minors.

4. DETAILED RULES ON DATA PROCESSING

Who has access to the data:

  • employees of the Data Controller;
  • employees of the Data Processors identified below;
  • certain public authorities in relation to data requested by them in the course of official proceedings and which the Data Controller is legally obliged to provide;
  • employees of a debt management company appointed by the Controller to manage overdue debts;
  • other persons with the express consent of the Data Subject.

The Data Controller undertakes to maintain strict confidentiality of the personal data it processes without any time limitation, and shall not disclose them to third parties, except with the consent of the Data Subject.

The withdrawal of consent does not affect the lawfulness of the previous processing.

4.1 Data management related to the subscription to the "Endomail" newsletter

The Data Subject has the possibility to subscribe to the "Endomail" newsletter, which gives him/her access to the information material compiled by the Data Controller every week.

4.1.1 The scope of the data processed and the detailed purposes of the processing:

  • Full name: necessary to identify the Data Subject
  • E-mail address: for the purposes of communication between the Data Controller and the Data Subject

4.1.2 Legal basis for processing

The legal basis for processing is the consent of the Data Subject (Article 6(1)(a) GDPR).

4.1.3 Duration of data processing

The Data Controller processes personal data until the Data Subject's consent is withdrawn. You may withdraw your consent at any time by sending an e-mail to contact@endoblog.hu.

4.2 Contact-related data processing

The Data Subject may contact the Data Controller through several communication channels: he or she may send a message to. https://endoblog.hu/kapcsolat subpage, or by sending an e-mail to the Data Controller.

4.2.1 The scope of the data processed and the detailed purposes of the processing:

  • Full name: necessary to identify the Data Subject
  • E-mail address: for the purposes of communication between the Data Controller and the Data Subject
  • Message content: the content of the message is necessary to identify the question or problem of the Data Subject.  

4.2.2 Legal basis for processing

The legal basis for processing is the consent of the Data Subject (Article 6(1)(a) GDPR).

4.2.3 Duration of data processing

The Data Controller shall process the personal data, if no contract is concluded between the parties, within 15 days after the termination of the contact or until the withdrawal of the Data Subject's consent. You may withdraw your consent at any time by sending an e-mail to contact@endoblog.hu.

4.3 Data processing in connection with booking appointments

The Data Subject has the possibility to book an appointment to use the services provided by the Data Controller at the following address. https://endoblog.hu/eshop/booking via the subpage.

4.3.1 The scope of the data processed and the detailed purposes of the processing:

  • Full name: necessary to identify the Data Subject
  • E-mail address: for the purposes of communication between the Data Controller and the Data Subject
  • Telephone number: used for communication between the Data Controller and the Data Subject
  • Type of consultation: necessary for the performance of the contract
  • Message content: necessary for the performance of the contract  

4.3.2 Legal basis for processing

The legal basis for processing is the performance of a contract (Article 6(1)(b) GDPR).

4.3.3 Duration of data processing

After the termination of the relationship with the Data Subject, the data shall be processed in accordance with the provisions of the Civil Code. 6:22 of the Personal Data Protection Act, we will delete the data after 5 years. If we are obliged to retain the data pursuant to Section 169 of Act C of 2000 on Accounting ("Accounting Act"), we will delete the data after 8 years following the termination of the relationship with the Data Subject. In practice, this is the case where the data is part of the supporting accounting documents, such as the documents relating to the conclusion of the contract (the contract itself, where applicable) or the invoice issued.

4.4 Data processing related to product orders

The Data Subject has the possibility to order a product from https://endoblog.hu/eshop via the subpage. In the case of product orders, the purpose of data processing is to deliver the ordered goods to the Data Subject in accordance with the Data Subject's needs, with the assistance of our contractual partner.

4.4.1 The scope of the data processed and the detailed purposes of the processing:

  • Full name: name of the Data Subject necessary for the performance of the contract and for identification
  • E-mail address: for the purposes of communication between the Data Controller and the Data Subject
  • Telephone number: required for efficient communication
  • Billing address: required for the performance of the contract
  • Delivery address: necessary for the performance of the contract
  • Bank account number: to be used for direct bank transfers necessary for the performance of the contract
  • Communication: to be handled by direct transfer as necessary for the performance of the contract
  • Note: necessary to meet the other needs of the Data Subject

4.4.2 Legal basis for processing

The legal basis for processing is the performance of a contract (Article 6(1)(b) GDPR).

4.2.3 Duration of data processing

After the termination of the relationship with the Data Subject, the data shall be processed in accordance with the provisions of the Civil Code. 6:22 of the Personal Data Protection Act, we will delete the data after 5 years. If we are obliged to retain the data pursuant to Section 169 of Act C of 2000 on Accounting ("Accounting Act"), we will delete the data after 8 years following the termination of the relationship with the Data Subject. In practice, this is the case where the data is part of the supporting accounting documents, such as the documents relating to the conclusion of the contract (the contract itself, where applicable) or the invoice issued.

4.5 Data processing related to service contracts and service provision

Each Data Subject will be required to sign a service contract when using the services provided by the Data Controller, which includes mental health assistance, is professional and life coaching, is not psychotherapy and is not a substitute for medical or health care.

4.5.1 The scope of the data processed and the detailed purposes of the processing:

  • Full name: name of the Data Subject necessary for the performance of the contract and for identification
  • Place and date of birth: necessary for the performance of the contract and for identification
  • Name of mother: necessary for the performance of the contract and for identification
  • Telephone number: required for efficient communication
  • Date: necessary for the performance of the contract
  • Information provided by the data subject during the provision of the service: necessary for the performance of the contract
  • Signature: required for the performance of the contract

4.5.2 Legal basis for processing

The legal basis for processing is the performance of a contract (Article 6(1)(b) GDPR).

4.5.3 Duration of data processing

After the termination of the relationship with the Data Subject, the data shall be processed in accordance with the provisions of the Civil Code. 6:22 of the Personal Data Protection Act, we will delete the data after 5 years. If we are obliged to retain the data pursuant to Section 169 of Act C of 2000 on Accounting ("Accounting Act"), we will delete the data after 8 years following the termination of the relationship with the Data Subject. In practice, this is the case where the data is part of the supporting accounting documents, such as the documents relating to the conclusion of the contract (the contract itself, where applicable) or the invoice issued.

4.6 Data management in relation to cookies on our website

4.6.1 Scope of the data processed and purpose of the processing:

By visiting the Data Controller website or any of its sub-pages and browse the content of the site, you agree to the following terms and conditions. 

The Data Controller. some of its services place unique identifiers, so-called cookies, on the computers of Data Subjects (users). These are used exclusively to identify the current session of the visitor, to store the data provided during the session, to prevent data loss and to analyse the Data Subject's habits anonymously using Google Analytics. This data includes the visitor's IP address, time and duration of the visit, pages visited, browser type, operating system, etc. This data is stored and treated confidentially and is used only for the purpose of improving the www.mediateleshop.hu website and compiling statistics.

4.6.2 Legal basis for processing

The legal basis for processing is the consent of the Data Subject. The use of cookies can be approved by the visitor by clicking on the "Accept" button in the pop-up window on the home page of www.mediateleshop.hu.

4.6.3 Duration of processing

The lifetime of a cookie lasts until the time it leaves www.mediateleshop.hu.

4.6.4 Visitor's rights in relation to cookie processing

The visitor's browser has the option to delete the cookie at any time.

The data subject may unsubscribe from the newsletter at any time, free of charge.

5. PERSONS AUTHORISED TO PROCESS DATA

The Data Controller uses the data processors listed in the table below to perform the technical tasks related to the data processing operations. The rights and obligations of the data processor in relation to the processing of personal data shall be determined by the Data Controller within the framework of the GDPR and the specific laws applicable to data processing. The Controller is responsible for the lawfulness of the instructions given by it. The processor shall not take any substantive decision regarding the processing, shall process the personal data of which it becomes aware only in accordance with the Controller's instructions, shall not process the personal data for its own purposes and shall store and retain the personal data in accordance with the Controller's instructions.

Names and contact details of data processorsThe activity performed in the processing of data
Magyar Posta Zrt.For residential customers: 06-1-767-8282Monday to Wednesday and Friday 08:00-17:00Thursday 08:00-20:00.For business customers: 06-1-767-827216 January - 31 October: Monday to Friday 08:00-18:001 November - 15 January: Monday to Friday: 08:00-19:00MPL (Hungarian Postal Logistics) services: 06-1-333-7777 Monday to Wednesday and Friday 08:00-17:00Thursday 08:00-20:00.MPL Europe Standard services: 06-1-767-8277Monday to Friday 08:00-18:00Saturday* 08:00-14:00Data required for the delivery provided by the Data Subject.Access to the delivery data processed by the Data Controller on the basis of this Notice. Its task is to deliver the products based on the delivery data provided by the Data Controller.
PayPal Holdings Inc.The data processor is PayPal (Europe) S.à r.l. et Cie, S.C.A. Société en Commandite par Actions Registered Office: 22-24 Boulevard Royal, L-2449 Luxembourg RCS Luxembourg B 118 349Telephone number of the data processor: 00353 1 436 9111E-mail address of the data processor: service@intl.paypal.comIn doing so, the Data Processor processes the customer's name, billing address, telephone number, e-mail address, the amount of the transaction, the characteristics of the products purchased, the payment status and the date of purchase.
3 in 1 Hosting Bt.Availability:https://megacp.com/contactinfo.phpYou have access to all personal data processed by the Controller under this Notice. Its task is to store the personal data processed by the Controller.
Csilla Magyari AccountantAvailability:konyveles@katacenter.huIt has access to the data needed for bookkeeping and payroll, and is responsible for carrying out bookkeeping and payroll.
Mailchimp The Rocket Science Group, LLC (675 Ponce de Leon Avenue, Suite 5000, Atlanta, GA 30308 USA). The foreign operator ensures data processing in compliance with European Union regulations under the provisions of the EU-U.S. Privacy Shield Framework.NewsletterThe name and e-mail address of the Data Subject will be processed.

6. DATA SECURITY MEASURES

The Data Controller will act in accordance with the provisions of the "Regulation 2016/679 of the European Parliament" and "Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information" in relation to the personal data provided by the Data Subject.

The Data Controller shall take all reasonable steps to ensure the security of the data, and shall ensure an adequate level of protection, in particular against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage. The Controller shall ensure the security of the data by appropriate technical (e.g. logical protection, in particular encryption of passwords and communication channels) and organisational measures.

Please help us to protect your information by not using an obvious login name or password and by changing your password regularly, and please do not disclose your password to anyone else.

7. DATA SUBJECTS' RIGHTS IN RELATION TO DATA PROCESSING

The Data Subject's data protection rights and remedies, and the relevant provisions and limitations of the GDPR in this regard, are set out in detail in the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the GDPR). The most important provisions are summarised below.

7.1 Right of access by the Data Subject

You have the right to receive feedback from us on whether your personal data is being processed. If such processing is ongoing, the Data Subject is entitled to access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data of the Data Subject;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

(d) where applicable, the envisaged duration of the storage of the personal data or, if this is not possible, the criteria for determining that duration;

(e) the right of the Data Subject to request from us the rectification, erasure or restriction of the processing of personal data relating to the Data Subject and to object to the processing of such personal data;

(f) the right to lodge a complaint with a supervisory authority; and

(g) where the data have not been collected from the Data Subject, any available information about their source;

(h) the fact of automated decision-making, including profiling, and, at least in these cases, the logic used and clear information on the significance of such processing and the likely consequences for the Data Subject.

If personal data are transferred to a third country, the Data Subject is entitled to be informed of the appropriate safeguards regarding the transfer.

We will provide the Data Subject with a copy of the personal data processed. If the Data Subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the Data Subject requests otherwise.

7.2 Right to rectification

The Data Subject has the right to have inaccurate personal data relating to him or her corrected without undue delay upon his or her request. The Data Subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

7.3 Right to erasure ("right to be forgotten")

(1) The Data Subject shall have the right to obtain, upon his or her request and without undue delay, the erasure of personal data relating to him or her where one of the following grounds applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) The Data Subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;

c) The Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;

d) the personal data have been unlawfully processed;

(e) the personal data must be erased in order to comply with a legal obligation under EU or Member State law applicable to us; or

f) the personal data were collected in connection with the provision of information society services.

(2) If the Controller has disclosed the personal data and is obliged to delete it pursuant to paragraph (1), it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that have processed the data that the Data Subject has requested the deletion of the links to or copies or replicas of the personal data in question.

(3) Paragraphs 1 and 2 shall not apply where the processing is necessary for, inter alia:

a) for the exercise of the right to freedom of expression and information;

(b) for the purposes of complying with an obligation under EU or Member State law that requires the processing of personal data that is applicable to us;

(c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right referred to in paragraph 1 would be likely to render such processing impossible or seriously impair it; or

(d) for the establishment, exercise or defence of legal claims.

7.4 Right to restriction of processing

(1) The Data Subject shall have the right to restrict processing at his or her request if one of the following conditions is met:

a) The Data Subject contests the accuracy of the personal data, in which case the restriction applies for the period of time that allows us to verify the accuracy of the personal data;

(b) the processing is unlawful and the Data Subject opposes the erasure of the data and requests instead the restriction of their use;

(c) we no longer need the personal data for the purposes of processing, but the Data Subject requires it for the establishment, exercise or defence of legal claims; or

(d) The Data Subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the Data Subject.

Where processing is restricted pursuant to paragraph 1, such personal data may be processed, except for storage, only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

The Data Subject will be informed in advance of the lifting of the restriction on processing.

7.5 Obligation to notify the rectification or erasure of personal data or restriction of processing

The Controller will inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. We will inform you of these recipients at the request of the Data Subject.

7.6 Right to data portability

(1) The Data Subject shall have the right to receive the personal data concerning the Data Subject which he or she has provided to us in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance by the Controller, if:

(a) the processing is based on consent or on a contract; and

(b) the processing is carried out by automated means.

In exercising the right to data portability under paragraph 1, the Data Subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.

7.7 The right to object

The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on legitimate interests, including profiling. In such a case, the personal data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.

If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.

In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the Data Subject may exercise the right to object by automated means based on technical specifications.

Where personal data are processed for scientific or historical research purposes or for statistical purposes, the Data Subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7.8 Right to lodge a complaint with a supervisory authority

The Data Subject may enforce his/her rights before the courts under the GDPR and the Civil Code, and may also contact the National Authority for Data Protection and Freedom of Information (NAIH) (1125 Budapest, Szilágyi Erzsébet fasor 22/C; postal address: 1530 Budapest, Pf. 5; phone: +36 1 391 1400; e-mail: ugyfelszolgalat@naih.hu) in case of complaints about the data controller's data management practices. Detailed rights and remedies in relation to data processing are set out in Articles 77, 79 and 82 of the GDPR. 

7.9 Right to an effective judicial remedy against the supervisory authority

The Data Subject shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning the Data Subject.

The Data Subject has the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the Data Subject within three months of the procedural developments or the outcome of the complaint lodged.

Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

7.10 Right to an effective judicial remedy against the controller or processor

The Data Subject has the right to an effective judicial remedy if he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in a way that does not comply with the GDPR.

Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State where the Data Subject has his or her habitual residence.

It is recommended that you send the complaint to the controller before initiating any procedure.

All rights reserved. © 2025 Arvainora.hu
en_USEN