PRIVACY NOTICE

INTRODUCTION

Empatia Group Korlátolt Felelősségű Társaság (registered office: 1149 Budapest, Egressy út 1D, 2nd floor, door 6, Hungary, company registration number: 01-09-441160; tax number: 32759916-2-42) (hereinafter: the “Data Controller”) adheres to the following privacy notice.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), we provide the following information.

This privacy notice governs the data processing on the following websites: www.empatia.group

The privacy notice is available at the following page: www.empatia.group

Any amendments to this privacy notice shall take effect upon publication at the above address.

DATA CONTROLLER AND CONTACT DETAILS:

Name: Empatia Group Korlátolt Felelősségű Társaság

Contact person: Peter Vago

Registered office: 1149 Budapest, Egressy ut 1D, 2nd floor, door 6, Hungary

E-mail: info@empatia.group

DEFINITIONS

1. Personal Data

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Processing

“Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

3. Data Controller

“Data controller” means the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its designation may be provided for by Union or Member State law.

4. Data Processor

“Data processor” means a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller.

5. Recipient

“Recipient” means a natural or legal person, public authority, agency, or any other body to which personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the context of a specific inquiry in accordance with Union or Member State law shall not be considered recipients; the processing of such data by those authorities must comply with the purposes of the processing and with the applicable data protection rules.

6. Consent of the Data Subject

“Consent of the data subject” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

7. Personal Data Breach

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

Personal data shall be:

a) Processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);

b) Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Processing for purposes of public interest archiving, scientific or historical research, or statistical purposes in accordance with Article 89 (1) of GDPR shall not be considered incompatible with the initial purposes (“purpose limitation”);

c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);

d) Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, in relation to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods only insofar as the personal data will be processed solely for public interest archiving, scientific or historical research, or statistical purposes in accordance with Article 89 (1) of GDPR, subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The Data Controller is responsible for ensuring compliance with the above principles and must be able to demonstrate such compliance (“accountability”).

DATA PROCESSING ACTIVITIES

Messaging and Contact

1. Fact of data collection, categories of data processed, and purpose of processing:

Personal DataPurpose of Processing
Name, e-mail addressContact, identification
Date and time of message submissionExecution of technical operation
IP address at the time of message submissionExecution of technical operation

2. Scope of data subjects:

All individuals who send messages or inquiries via the website.

3. Duration of processing / Data retention period:

Data processing continues until the matter is resolved.

4. Persons authorized to access the data:

Personal data may be processed by employees authorized by the Data Controller, in compliance with the principles outlined above.

5. Rights of data subjects regarding data processing:

6. How data subjects can request deletion or modification of personal data:

7. Legal basis for processing:

Consent of the data subject, Article 6(1)(a) GDPR, and Section 5(1) of the Hungarian Data Protection Act (in Hungarian az információs önrendelkezési jogról és az információszabadságról szóló 2011. évi CXII. törvény;Infotv.).

8. Additional information:

ENGAGED DATA PROCESSORS

Hosting Provider

1. Activities performed by the data processor:

Hosting and server services.

2. Name and contact details of the data processor:

Hostinger International Limited

Registered address: 61 Lordou Vironos Street 17 Lumiel Building, 4th floor 18, Larnaca, CY 6023, Cyprus

Website: www.hostinger.com/legal/privacy-policy

3. Fact of data processing and categories of data processed:

All personal data provided by the data subject.

4. Scope of data subjects:

All individuals using the website.

5. Purpose of data processing:

To make the website available and ensure its proper functioning.

6. Duration of processing / Data retention period:

Data processing continues until the termination of the agreement between the data controller and the hosting provider, or until the data subject submits a deletion request to the hosting provider.

7. Legal basis for processing:

User consent, Section 5(1) of the Hungarian Data Protection Act (Infotv.), Article 6(1)(a) of GDPR, and Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.

COOKIE HANDLING

1. Fact of data processing and categories of data processed:

Unique identifier, dates, times.

2. Scope of data subjects:

All individuals visiting the website.

3. Purpose of data processing:

Identification of users and tracking of visitors.

4. Duration of processing / Data retention period:

Cookie TypeLegal Basis for ProcessingRetention PeriodProcessed Data
Session cookiesSection 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society servicesUntil the end of the relevant visitor sessionconnect.sid

5. Persons authorized to access the data:

The Data Controller does not process any personal data through the use of cookies.

6. Rights of data subjects regarding data processing:

Data subjects may delete cookies via the browser’s Tools/Settings menu, generally under Privacy settings.

7. Legal basis for processing:

Consent from the data subject is not required if the sole purpose of using the cookies is to enable communication over an electronic communications network, or where strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.

NEWSLETTER AND DIRECT MARKETING ACTIVITIES

1. Under Section 6 of Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities, the User may give prior and explicit consent for the Data Controller to contact them via the contact details provided during registration with advertising offers and other communications.

2. Furthermore, the User may consent, in accordance with this Privacy Notice, to the processing of their personal data necessary for sending advertising offers.

3. The Data Controller does not send unsolicited advertising messages. The User may unsubscribe from receiving offers at any time, free of charge and without providing a reason. In such cases, the Data Controller will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from advertisements by clicking the link included in the message.

4. Fact of data collection, categories of data processed, and purpose of processing:

Personal DataPurpose of Processing
Name, e-mail addressIdentification; enable subscription to the newsletter
Date and time of subscriptionExecution of technical operation
IP address at the time of subscriptionExecution of technical operation

5. Scope of data subjects:

All individuals subscribing to the newsletter.

6. Purpose of data processing:

Sending electronic messages containing advertising (e-mail, SMS, push messages) to the data subject; providing information about current updates, products, promotions, new features, etc.

7. Duration of processing / Data retention period:

Processing continues until the withdrawal of consent, i.e., until the User unsubscribes.

8. Persons authorized to access the data / Recipients of personal data:

Personal data may be processed by the data controller’s sales and marketing staff, in compliance with the principles outlined above.

9. Rights of data subjects regarding data processing:

10. How data subjects can exercise their rights (access, deletion, modification, restriction, portability, objection):

11. The data subject may unsubscribe from the newsletter at any time, free of charge.

12. Legal basis for processing:

Consent of the data subject, Article 6(1)(a) GDPR, Section 5(1) of the Hungarian Data Protection Act (Infotv.), and Section 6(5) of Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities:

The advertiser, advertising service provider, or publisher of advertising – within the scope of the consent given – shall maintain a record of personal data of those who have given their consent. Data recorded in this registry relating to the recipient of advertising may only be processed in accordance with the consent and until its withdrawal, and may be disclosed to third parties only with the prior consent of the data subject.

13. Additional information:

USE OF GOOGLE ANALYTICS

1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies,” which are text files stored on your computer, to help analyze your use of the website.

2. Information generated by the cookies about your use of the website is generally transmitted to and stored on a Google server in the United States. By activating IP anonymization on the website, Google shortens your IP address within the European Union or in other countries that are parties to the Agreement on the European Economic Area prior to transfer.

3. The full IP address is transferred to and shortened on a Google server in the USA only in exceptional cases. On behalf of the website operator, Google uses this information to evaluate your use of the website, prepare reports on website activity for the website operator, and provide other services related to website and internet usage.

4. Within Google Analytics, the IP address transmitted by your browser is not merged with other data held by Google. You can prevent the storage of cookies by adjusting your browser settings; however, please note that some website functions may not be fully available. You can also prevent Google from collecting and processing the data generated by the cookie about your use of the website (including IP address) by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=hu

CUSTOMER CONTACTS AND OTHER DATA PROCESSING

1. If you have questions or encounter problems while using our services, you may contact the data controller through the contact methods provided on the website (phone, e-mail, social media, etc.).

2. The Data Controller deletes emails, messages, and other information provided via phone, etc., together with the name, e-mail address, and any other voluntarily provided personal data of the inquirer, no later than 2 years from receipt.

3. Data processing not listed in this notice will be explained at the time the data is collected.

4. In exceptional cases of official authority requests or under legal authorization, the Service Provider is obliged to provide information, disclose, or transfer data, or make documents available.

5. In these cases, the Data Controller will provide only the personal data necessary to achieve the purpose specified by the requesting authority.

DATA SUBJECT RIGHTS

1. Right of Access

You have the right to obtain confirmation from the Data Controller as to whether your personal data are being processed and, if so, access to the personal data and the information listed in the GDPR.

2. Right to Rectification

You have the right to request the Data Controller to correct inaccurate personal data concerning you without undue delay. Considering the purpose of processing, you may also request the completion of incomplete personal data (e.g., by providing a supplementary statement).

3. Right to Erasure

You have the right to request the deletion of your personal data without undue delay under specified conditions, and the data controller is obliged to erase your personal data without undue delay where applicable.

4. Right to be Forgotten

If personal data have been made public and must be deleted, the data controller shall take reasonable steps, considering available technology and implementation costs, including technical measures, to inform other controllers who process the data that you have requested the deletion of links, copies, or replicas of the personal data.

5. Right to Restriction of Processing

You have the right to request restriction of processing if one of the following applies:

6. Right to Data Portability

You have the right to receive personal data you provided to a controller in a structured, commonly used, and machine-readable format and to transmit them to another controller without hindrance.

7. Right to Object

You have the right to object at any time, for reasons related to your situation, to the processing of your personal data, including profiling.

8. Objection to Direct Marketing

If personal data are processed for direct marketing purposes, you have the right to object at any time. Once you object, your personal data will no longer be processed for these purposes, including profiling for direct marketing.

9. Automated Decision-Making Including Profiling

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, except when:

TIMEFRAME FOR RESPONSES

The data controller shall respond without undue delay, and in any case within 1 month of receipt of your request. This period may be extended by 2 months if necessary. You will be informed of the extension and the reasons within 1 month of receipt.

If no action is taken, the controller will inform you without delay, and at the latest within 1 month, of the reasons and your right to lodge a complaint with a supervisory authority or seek judicial remedy.

DATA SECURITY

The data controller and processor shall implement appropriate technical and organizational measures, considering current scientific and technological knowledge, implementation costs, the nature, scope, context, and purposes of processing, and the risk to individuals’ rights and freedoms, including:

  1. Pseudonymization and encryption of personal data;
  2. Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  3. Ability to restore access and availability of personal data in a timely manner after a physical or technical incident;
  4. Regular testing, assessment, and evaluation of technical and organizational measures to ensure security.

DATA SUBJECT NOTIFICATION OF A DATA BREACH

If a data breach is likely to result in high risk to the rights and freedoms of natural persons, the data controller shall notify the data subject without undue delay.

The notification shall clearly describe the nature of the breach, provide contact details of the data protection officer or other contact point, explain the likely consequences, and the measures taken or planned to mitigate adverse effects.

Notification is not required if:

Supervisory authorities may also order notification if high risk is likely.

DATA BREACH REPORTING TO AUTHORITIES

The Data Controller shall report the breach to the competent supervisory authority without undue delay and, if possible, within 72 hours of becoming aware, under Article 55 of GDPR, unless the breach is unlikely to result in risk to rights and freedoms. If not reported within 72 hours, reasons for the delay must be provided.

RIGHT TO LODGE A COMPLAINT

Complaints regarding potential violations may be submitted to:

National Authority for Data Protection and Freedom of Information

1125 Budapest, Szilágyi Erzsébet fasor 22/C

Mailing address: 1530 Budapest, P.O. Box 5

Phone: +36-1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Fill out the form and we'll be in touch soon

    By checking the box above – in accordance with Article 6(1)(a) and Article 7 of the EU Regulation 2016/679 on General Data Protection (“GDPR”) – I consent to the data controller processing my personal data provided here in accordance with the GDPR and the data controller’s Privacy Notice.

    Thank you for your submission!