Privacy policy
Last updated: May 29, 2024.
PRIVACY NOTICE
1. Data Controller
The data controller for personal data is Cinkostárs Kft. (address and mailing address: 1113 Budapest, Hamzsabégi út 60., Building E, Staircase 2, Floor 2, Door 190, company registration number: 01-09-416272, tax number: 32288876-2-43, phone number: +36-30/561-6852, e-mail: cinkostarskft@gmail.com). The Data Controller informs the data subjects that the data processing activities detailed in this notice are carried out jointly with one or two psychologists conducting group therapy sessions as co-data controllers (hereinafter: Co-Data Controller). The Data Controller informs the data subject that the psychologist or psychologists who run the therapy session, for which the data subject has registered, are considered co-data controllers.
The Data Controller further informs data subjects that the purpose and means of data processing, the division of responsibilities for fulfilling obligations relating to data processing, and the roles and relationship with data subjects have been jointly determined with the Co-Data Controller.
Data subjects primarily have the option of contacting the Data Controller with questions, potential complaints, or requests regarding exercising their rights. Exceptions include requests or complaints regarding personal data gathered during group therapy, which should be directed to the Co-Data Controller, whose contact information is included in the confirmation email sent by the Service Provider to the data subject. Data subjects can choose at any time to direct their data-related questions to the Co-Data Controller instead, and they may exercise their rights with the Co-Data Controller rather than the Data Controller.
2. Scope of Data Subjects, Personal Data Processed
The Data Controller processes the following personal data of individuals applying for group therapy sessions that it offers:
to ensure registration: name, phone number, email address;
in connection with service provision: type of group therapy chosen by the subject, dates of group sessions, participant data, service fee amount, payment date, expiry date, and last four digits of the bank card used by the subject, name of the issuing card company, payer's billing name and billing address,
for complaint handling: name, address, personal data related to the complaint, any additional data voluntarily provided by the subject (if relevant)
for newsletter sending purposes: email address
The Data Controller draws the attention of data subjects submitting a registration that if third-party data is provided, they must ensure that real data is provided and that these third parties are also made aware of the content of this notice.
The Co-Data Controller handles any personal data beyond the name, phone number, and email address of the subject participating in the therapy they conduct, which is essential for the advisory activities undertaken in the group therapy (typically age, educational background, occupation, behavior, information about family environment, intelligence and mental state information, data relating to previous psychological treatments) as well as any data that becomes known to the Co-Data Controller during group therapy sessions. The Co-Data Controller informs subjects that the Data Controller does not handle data required for performing advisory activities or data arising during the therapy.
3. Purpose of Data Processing
The purpose of processing personal data provided during registration is to enable the Data Controller to register the subject's application for the chosen group therapy and to confirm their successful registration. The purpose of processing data collected in the context of service provision is to ensure that the group therapy service can be used and the subject can attend the sessions, as well as to issue and deliver an invoice for the service fee paid by the subject. The processing of personal data of subjects who submit a complaint to the Data Controller is carried out solely for the purpose of investigating and responding to the complaint in writing within the deadline prescribed by the law. The processing of data for newsletter subscribers is to receive and register subscription requests and send newsletters to the subject.
The purpose of processing data of subjects is to ensure that the Co-Data Controller can provide complete and comprehensive care to subjects within the framework of group therapy and to fulfill any notification obligations if necessary. If the Co-Data Controller processes health data, the purpose of their processing is to promote the preservation, improvement, or maintenance of the subject's health and to monitor the subject's health state as per Section 4 (1) of the Health Act of 1997, Act XLVII (hereinafter: Health Act).
4. Legal Basis for Data Processing
The legal basis for processing personal data for registration and service provision is the performance of a service contract entered into with the Data Controller and steps taken at the request of the data subject prior to entering the contract, as per Article 6(1)(b) of the GDPR. Differently, the billing data of the subject is processed by the Data Controller based on its legal obligation under Section 169 of the VAT Act of 2007, Act CXXVII.
Data processing for newsletter purposes is based on the subject's consent.
The legal basis for complaint handling data processing is fulfilling the legal obligation under Sections 17/A(3)-(6) of the Consumer Protection Act of 1997, Act CLV, regarding the investigation and response to complaints.
Data processing by the Co-Data Controller is based on the Co-Data Controller's legitimate interest, whereas if health data is involved, it is also based on the explicit consent of the subject under Article 9(2)(a) of the GDPR. An interest assessment was conducted to apply the legitimate interest legal basis, confirming that the legitimate interest of the Co-Data Controller in processing data prevails over the data subjects' interest not to have their data processed.
Data subjects may object to data processing based on the Co-Data Controller's legitimate interest, but filing an objection does not automatically result in the termination of data processing and the immediate deletion of data. This will only occur if it is determined after examining the request that no overriding legitimate grounds justify further processing of the data, which take precedence over the data subjects’ legitimate interests, rights, and freedoms, or relate to legal claims.
5. Data Processing Duration
Data necessary for registration and service provision will be processed by the Data Controller as long as the data subject participates in group therapy sessions. Unlike the above, billing data will be processed for 8 (eight) years from the issuance of each invoice based on Section 169 (2) of the Accounting Act of 2000, Act C.
The data of subjects subscribed to newsletters will be processed by the Data Controller until they withdraw their consent or unsubscribe from the newsletters.
The processing of personal data for complaint handling, in line with relevant legal regulations, lasts for 3 (three) years from the Data Controller's response to the complaint.
The Co-Data Controller processes the subject's data as long as the group therapy sessions with the subject's participation are ongoing. If health data processing is involved for the subject, it will be processed for 30 years from data collection, as required under Section 30 (1) of the Health Act.
6. Data Recipients
a. Recipients within the Data Controller and Co-Data Controller's Organizations
The Data Controller informs data subjects that their personal data can be accessed and processed by the Data Controller’s executives and owners in connection with fulfilling their responsibilities/tasks arising from their position.
Personal data from data subjects are only accessible and processed by the psychologist from the Co-Data Controller's side who personally conducts the group therapy session the subject attends.
b. Stripe Payments Europe Limited as a Recipient
To enable online payment of service fees by the subject, the Data Controller uses the services of Stripe Payments Europe Limited (address: 3 Dublin Landings, North Wall Quay, Dublin 1, Dublin, D01C4E0, Ireland, mailing address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland, privacy@stripe.com, foreign registration number: 513174) (hereinafter: Stripe), which involves handling data of data subjects.
If the subject pays by bank card through the secure Stripe payment platform, the Data Controller provides Stripe with the following personal data: the name of the service used, service fee amount due, purchase time, expiry date, and last four digits of the bank card used by the subject, name of the card issuing company.
The transfer of the above data is essential for the Data Controller to enable the subject to pay the service fee online at https://www.tabukvillaja.hu/. This data transfer is based on the contract concluded with the acceptance of the participation rules between the subject and the Data Controller. Stripe processes this data as a data processor, maintaining, operating Stripe's secure payment platform to facilitate online payment transactions, under a separate data processing agreement.
The Data Controller draws attention that the Stripe secure payment platform may request further personal data from the subject during online card payment, which is processed by Stripe as an independent data controller. Stripe processes bank card data (cardholder's name, CVC code, card number, expiry date, issuer name), the unique identifier and IP address of the device used for payment, and the subject's email address for providing its customer services, monitoring, preventing, and detecting fraudulent transactions and other suspicious activities, and complying with legal obligations or regulatory requirements applicable to Stripe as a financial sector participant, particularly measures to prevent money laundering, and analyzing and improving its products and services. The personal data provided by the subject on the Stripe payment platform can only be accessed by Stripe – the Data Controller is not entitled to this access – and thus does not process the data.
Both Data Controller and Stripe must comply with GDPR provisions during their data processing activities to ensure the secure handling of the subject's data, and to provide appropriate information on data processing. The Data Controller informs data subjects that they can exercise their data subject rights with respect to personal data handled by the company as detailed in section 7 of this notice. Regarding data processing by Stripe, data subjects can exercise their rights by submitting a request to Stripe as outlined in Stripe's data privacy notice available at: https://stripe.com/en-hu/privacy.
The Data Controller informs data subjects that Stripe transfers processed data to third countries for subprocessors or partners providing services to Stripe (United States, Canada, Colombia, Malaysia, Philippines, United Kingdom), moreover, transfer also occurs if Stripe subsidiaries involved in providing services offered to the Data Controller by Stripe are located in third countries (Australia, Canada, Malaysia, Mexico, India, Indonesia, Japan, Singapore, New Zealand, Brazil, Hong Kong, United States, Thailand, Israel, United Arab Emirates). Stripe ensures that the protection level required and guaranteed by GDPR is provided for the transferred personal data. The basis for data transfers: European Commission's adequacy decision or, failing this, contractual terms between data controller and processor (Standard Contractual Clauses – SCC). The list of third-country recipients to whom Stripe transfers personal data is available at: https://stripe.com/en-hu/service-providers/legal.
The Data Controller notes that if the subject initiates payment through the Stripe secure payment platform, Stripe, as well as third-party service providers, may use cookies to identify the subject as a user, enhance the browsing experience, personalize services, content, and ads, measure promotion efficiency, and conduct analyses. These cookies are necessary to guarantee the safety of card payments initiated by the subject and are also indispensable for preventing potential fraud. Certain functions of the Stripe payment platform can only be accessed through cookie use, therefore disabling or refusing cookie use may restrict or entirely prevent the use of the payment platform. Information on cookie use and data processed through cookies by Stripe is available at: https://stripe.com/cookies-policy/legal.
c. Data Processors
The Data Controller also informs data subjects that the processing of personal data involves the collaboration of the following data processors:
Emergence-Engineering Kft. (address: 1123 Budapest, Nagyenyed u. 5. pinceszint, e-mail: szamlabridge@emergence-engineering.com)
processed data: payer's billing name, billing address
activity: providing integration software required for invoicing
KBOSS.hu Kft. (address: 1031 Budapest, Záhony u. 7., e-mail: info@szamlazz.hu)
processed data: payer's billing name, billing address
activity: providing an online invoicing program (számlázz.hu) necessary for invoicing
The Rocket Science Group LLC d/b/a Mailchimp (address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, United States, e-mail: privacy@mailchimp.com)
processed data: personal data of newsletter subscribers
activity: providing the newsletter sending function of the Data Controller's website
The Data Controller informs data subjects that written data processing agreements have been concluded with all data processors. The Data Controller informs data subjects that data processors cannot make any substantial decisions regarding data processing, and they can only process personal data shared with them following the instructions of the Data Controller, not performing any data processing activity for their own purposes.
The Data Controller ensures it only collaborates with data processors providing the necessary guarantees to enforce data protection regulations and protect data subject rights.
d. Other Recipients
The Data Controller informs data subjects that, due to the nature of group therapy, personal data disclosed during sessions will also be known to other clients attending the sessions.
7. Data Subject Rights and Exercise of Rights
The Data Controller takes necessary measures to ensure data subjects can fully exercise their rights related to personal data protection without undue restriction or hindrance.
Under the right of access, the data subject is entitled to receive feedback from the Data Controller on whether their data is being processed, and if so, they are entitled to access personal data and essential information related to data processing along with obtaining a copy of the data, without adversely affecting the rights and freedoms of others.
The data subject can decide to request rectification or restriction of data processing from the Data Controller, or request deletion of personal data if legal conditions for such requests are met. If data processing is based on the data subject's consent, the data subject is entitled to withdraw their consent.
The data subject's requests must always be sent in writing to cinkostarskft@gmail.com. The Data Controller evaluates the received requests immediately, but no later than within 1 month of receipt, and provides information on the result within the same time frame unless the Data Controller is entitled to extend the deadline.
For further information on exercising data subject rights, the Data Controller asks data subjects to review the privacy notice published by the Data Controller on the https://www.tabukvillaja.hu/ website in the "Data Subjects' Rights, Exercise of Rights" section, which presents the individual data subject rights and conditions, rules of exercise in detail. The privacy notice is available here: https://www.tabukvillaja.hu/adatkezelesi-tajekoztato
8. Legal Remedies
The Data Controller strives to ensure all aspects of data processing comply with legality, fairness, and security requirements, hence data subjects can always report complaints to the Data Controller using the contact details listed in this notice.
Data subjects can directly contact the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa u. 9-11., mailing address: 1363 Budapest, Pf. 9., e-mail: ugyfelszolgalat@naih.hu, phone: +36 (30) 683-5969, +36 (30) 549-6838, or +36 (1) 391 1400) if they believe their personal data was processed unlawfully. Rules for lodging and evaluating complaints, and conducting official procedures are available at the www.naih.hu website. The Data Controller informs subjects that if they disagree with the Authority's decision, or the Authority does not investigate the complaint within the deadline, nor informs them of any procedural developments or outcomes related to the complaint within 3 months, they can seek judicial remedy at the court competent for the Authority's headquarters.
If the data subject believes that inappropriate data handling by the Data Controller violated their personal data rights, they may initiate proceedings at the Metropolitan Court (address: 1055 Budapest, Markó u. 27., mailing address: 1363 Budapest, Pf. 16.), or the court competent for their place of residence or domicile (contacts: https://birosag.hu/birosag-kereso). The Data Controller notes that legal representation is mandatory in court proceedings.
If a data subject suffers damage due to a violation of data protection regulations, they can claim compensation or non-material damages before the court competent for the Data Controller's headquarters or the court competent for their residence or domicile. Competent courts and contacts are available via the following link: https://birosag.hu/birosag-kereso
9. Data Security Measures
The Data Controller takes necessary technical and organizational steps to ensure the security of data it processes. To ensure compliance with data security requirements, the Data Controller regularly reviews and evaluates the effectiveness of its measures, maintaining continuous monitoring. Further provisions on data security are detailed in the Data Controller's privacy notice available on the https://www.tabukvillaja.hu/ website in the 10th section.
10. Modification of Privacy Notice
The Data Controller reserves the right to modify this privacy notice unilaterally and without time limitation. The Data Controller undertakes to take necessary steps to inform data subjects adequately about any modifications to the notice.