REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter “the Regulation”) requires that the controller takes appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, and to facilitate the exercise of the data subject’s rights.
The obligation to inform the data subject in advance is also provided for in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
The following information is provided to comply with this legal obligation.
The information must be published on the company’s website or sent to the person concerned on request.
The publisher of this information and the Data Controller is Szabolcs Tamás Garab.
Company name: Szabolcs Tamás Garab sole proprietor
Headquarters: Hungary 1031 Budapest, Nánási út 75-77. C ép. 532.
Tax number: 71701646-1-41
Representative: Szabolcs Tamás Garab
E-mail address: info@babyface.pics
Website: https://babyface.pics
(hereinafter referred to as “the Company”)
Data processor: a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller; (Article 4(8) of the Regulation)
The use of a processor does not require the prior consent of the data subject, but the data subject must be informed. Accordingly, the following information is provided:
1. Our IT service provider
For the maintenance and management of its website, our Company uses a data processor who provides IT services (hosting service) and, within the framework of this service, processes the personal data provided on the website for the duration of our contract with him/her, and the operation performed by him/her is the storage of personal data on the server.
This data processor is called:
Company name: Kore6 Development Kft.
Headquarters: 1134 Budapest, Lehel utca 17. II. floor door 6A.
Tax number: 24212580-2-41
E-mail address: info@kore6.com
Website: www.kore6.com
1. Processing based on the data subject’s consent
(1) Where the Company intends to carry out data processing based on consent, the data subject’s consent to the processing of his or her personal data shall be obtained by means of a request for consent in accordance with the content and information set out in the data processing policy.
(2) Consent shall also be deemed to be given if the data subject ticks a relevant box when viewing the Company’s website, makes relevant technical settings when using information society services, or makes any other statement or takes any other action which, in the relevant context, clearly indicates the data subject’s consent to the intended processing of his or her personal data. Silence, ticking a box or inaction therefore does not constitute consent.
(3) Consent shall cover all processing activities carried out for the same purpose or purposes. Where processing is carried out for more than one purpose, consent shall be given for all the purposes for which the processing is carried out.
(4) Where the data subject gives his or her consent in the context of a written statement which also relates to other matters, such as the conclusion of a sales or service contract, the request for consent must be presented in a manner clearly distinguishable from those other matters, in a clear and easily accessible form, in clear and plain language. Any part of such a statement containing the consent of the data subject that is in breach of the Regulation shall not be binding.
(5) The Company may not make the conclusion or performance of a contract conditional on the consent to the processing of personal data that are not necessary for the performance of the contract.
(6) The withdrawal of consent shall be made possible in the same simple manner as the granting of consent.
(7) Where the personal data have been collected with the consent of the data subject, the controller may process the collected data for the purpose of complying with a legal obligation to which the data subject is subject, unless otherwise provided by law, without further specific consent and even after the withdrawal of the data subject’s consent.
2. Processing based on the performance of a legal obligation
(1) In the case of processing based on a legal obligation, the scope of the data to be processed, the purpose of the processing, the duration of the storage of the data, and the recipients shall be governed by the provisions of the underlying legislation.
(2) The processing based on the legal ground of performance of a legal obligation is independent of the consent of the data subject since the processing is determined by law. In such cases, the data subject shall be informed before the processing starts that the processing is mandatory and shall be provided with clear and detailed information on all the facts relating to the processing of his or her data, in particular on the purposes and legal basis of the processing, the identity of the controller and of the processor, the duration of the processing, the fact that the controller is processing the personal data of the data subject based on a legal obligation to which the data subject is subject and the persons who may have access to the data. The information should also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory processing, the information may also be provided by making public a reference to the legal provisions containing the foregoing information.
3. Promoting the rights of the data subject
The Company shall ensure the exercise of the rights of the data subject in all its processing.
1. The visitor to the website must be informed about the use of cookies on the website and must be asked for his/her consent, except for session cookies, which are technically necessary.
2. General information about cookies
2.1 A cookie is a piece of data that the visited website sends to the visitor’s browser (in the form of a variable name value) so that it can store and later load the content of the same website. A cookie can be valid until the browser is closed, or indefinitely. In subsequent HTTP(S) requests, the browser will also send this data to the server. In this way, the data on the user’s computer is modified.
2.2 The point of a cookie is that website services inherently need to be able to identify a user (e.g. that they have entered the site) and to be able to manage them accordingly. The danger is that the user may not always be aware of this and may be tracked by the website operator or other service provider whose content is embedded in the site (e.g. Facebook, Google Analytics), thereby creating a profile of the user, in which case the content of the cookie may be considered personal data.
2.3. Types of cookies:
2.3.1. technically necessary session cookies: without which the site would simply not function, these are needed to identify the user, e.g. to manage whether they have logged in, what they have added to their shopping cart, etc. This is typically a session ID, the rest of the data is stored on the server, which is more secure. There is a security aspect, if the session cookie value is not generated correctly then there is a risk of a session hijacking attack, so it is imperative that these values are generated correctly. Other terminology calls session cookies all cookies that are deleted when you exit the browser (a session is a browser session from start to exit).
2.3.2.Usage cookies: these are cookies that remember the user’s choices, for example, how the user wants to view the site. These types of cookies are essentially the preferences data stored in the cookie.
2.3.3 Performance cookies: although they have little to do with “performance”, this is usually the name given to cookies that collect information about the user’s behaviour, time spent on a website, clicks and clicks. These are typically third-party applications (e.g. Google Analytics, AdWords, or Yandex.ru cookies). They can be used to profile the visitor.
2.4. Acceptance or authorisation of the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. While most browsers automatically accept cookies by default, these can usually be changed to prevent automatic acceptance and will offer you the choice each time.
That said, please note that certain website features or services may not function properly without cookies.
3. Information about the cookies used on the Company’s website and the data generated during the visit
3.1.Data processed during the visit: our website may record and process the following data about the visitor and the device used for browsing the website:
– the IP address used by the visitor,
– the browser type,
– the characteristics of the operating system of the device used for browsing (language set),
– time of the visit
– the (sub)page, function or service visited.
– click.
This data is kept for up to 90 days and may be used primarily to investigate security incidents.
3.2. Cookies used on the website
3.2.1. Technically necessary session cookies
The purpose of the processing: to ensure the proper functioning of the website. These cookies are necessary to enable visitors to browse the website, to use its functions smoothly and fully, to use the services available through the website, including, in particular, to note the actions carried out by the visitor on the pages concerned or to identify the logged-in user during a visit. The duration of the processing of these cookies is limited to the current visit of the visitor, and this type of cookie is automatically deleted from his/her computer at the end of the session or when the browser is closed.
The legal basis for this data processing is Article 13/A (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Elkertv.), according to which the service provider may process personal data that are technically necessary for the provision of the service. The service provider must, other things being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only if absolutely necessary for the provision of the service and for the fulfilment of the other purposes specified in this Act, but in this case only to the extent and for the duration necessary.
3.2.1. Usage cookies:
These remember the user’s choices, such as what form the user wants the page to take. These types of cookies are essentially the preferences data stored in the cookie.
The legal basis for processing is the consent of the visitor.
Purpose of data processing: to increase the efficiency of the service, to enhance the user experience, to make the use of the website more convenient.
This data is rather on the user’s computer, the website just accesses it and recognises the visitor.
3.2.2. Performance cookies:
They collect information about the user’s behaviour, time spent on the website visited, clicks. These are typically third party applications (e.g. Google Analytics, AdWords).
Legal basis for processing: consent of the data subject.
Purpose of data processing: analysis of the website, sending advertising offers.
I. A brief summary of the data subject’s rights:
1. Transparent information, communication and facilitation of the exercise of data subject’s rights
2. Right to prior information – where personal data are collected from the data subject
3. Informing the data subject and the information to be provided to him or her where the personal data have not been obtained by the controller from him or her
4. Right of access of the data subject
5. The right to rectification
6. Right to erasure (“right to be forgotten”)
7. Right to restriction of processing
8. Obligation to notify the rectification or erasure of personal data or the restriction of processing
9. The right to data portability
10. The right to object
11. Automated decision-making in individual cases, including profiling
12. Restrictions
13. Informing the data subject of the personal data breach
14. Right to lodge a complaint with a supervisory authority (right to official redress)
15. Right to an effective judicial remedy against the supervisory authority
16. Right to an effective judicial remedy against the controller or processor
II. The rights of the data subject in detail:
1. Transparent information, communication and facilitation of the exercise of data subject rights
1.1 The controller shall provide the data subject with all information and any particulars relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular in the case of any information addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, information may be provided orally, provided that the identity of the data subject has been verified by other means.
1.2 The controller must facilitate the exercise of the data subject’s rights.
1.3 The controller shall inform the data subject of the measures taken in response to his or her request to exercise his or her rights without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months under the conditions laid down in the Regulation.
1.4 If the controller fails to act on a request from the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.
1.5 The data controller shall provide the information and the information and action on the rights of the data subject free of charge, but may charge a fee in the cases provided for in the Regulation.
The detailed rules can be found under Article 12 of the Regulation.
2. Right to prior information – where personal data are collected from the data subject
2.1.The data subject shall have the right to be informed of the facts and information relating to the processing prior to the start of the processing. In this context, the data subject shall be informed:
a) the identity and contact details of the controller and its representative,
b) the contact details of the Data Protection Officer (if any),
c) the purposes for which the personal data are intended to be processed and the legal basis for the processing,
(d) in the case of processing based on legitimate interests, the legitimate interests of the controller or a third party,
e) the recipients to whom the personal data are disclosed and the categories of recipients, if any;
(e) where applicable, the fact that the controller intends to transfer the personal data to a third country or an international organisation.
2.2 To ensure fair and transparent processing, the controller must provide the data subject with the following additional information:
(a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;
(b) the data subject’s right to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the data subject’s right to data portability;
(c) in the case of processing based on the data subject’s consent, the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of the personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract, whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data;
(f) the fact of automated decision-making, including profiling, and, at least in those cases, the logic used and clear information on the significance of such processing and the likely consequences for the data subject.
2.3 If the controller intends to further process personal data for a purpose other than that for which they were collected, the controller must inform the data subject of that other purpose and of any relevant additional information before further processing.
The detailed rules on the right to prior information are set out in Article 13 of the Regulation.
3. Informing the data subject and the information to be provided to him or her where the personal data have not been obtained by the controller from him or her
3.1 If the controller has not obtained the personal data from the data subject, the data subject shall be informed by the controller no later than one month after the personal data have been obtained; if the personal data are used for the purpose of contacting the data subject, at least at the time of the first contact with the data subject; or, if the data are likely to be disclosed to another addressee, no later than the time of the first disclosure of the personal data, in accordance with the provisions of paragraph 2. the facts and information referred to in point (2), the categories of personal data concerned and the source of the personal data and, where applicable, whether the data originate from publicly available sources.
3.2 The additional rules are those set out in section 2 (Right to prior information) above.
The detailed rules for this information are set out in Article 14 of the Regulation.
4. Right of access of the data subject
4.1 The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the related information described in points 2-3 above (Article 15 of the Regulation).
4.2 Where personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.
4.3 The controller must provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules on the right of access of the data subject are laid down in Article 15 of the Regulation.
5. The right to rectification
5.1 The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her.
5.2 Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
These rules are set out in Article 16 of the Regulation.
6. Right to erasure (“right to be forgotten”)
6.1 The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay at his or her request, and the controller shall be obliged to erase personal data relating to him or her without undue delay if.
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
(c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
f) the personal data were collected in connection with the provision of information society services directly to a child.
6.2 The right to erasure cannot be exercised if the processing is necessary
a) for the exercise of the right to freedom of expression and information;
(b) to comply with an obligation under Union or Member State law to which the controller is subject or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) on the basis of public interest in the field of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or
(e) for the presentation, exercise or defence of legal claims.
Detailed rules on the right to erasure are set out in Article 17 of the Regulation.
7. Right to restriction of processing
7.1 Where processing is restricted, such personal data, except for storage, may only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
7.2 The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller if one of the following conditions is met:
(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
(c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.
7.3 The data subject shall be informed in advance of the lifting of the restriction on processing.
The relevant rules are set out in Article 18 of the Regulation.
8. Obligation to notify the rectification or erasure of personal data or the restriction of processing
The controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.
These rules are set out in Article 19 of the Regulation.
9. The right to data portability
9.1 Subject to the conditions set out in the Regulation, the data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, if.
(a) the processing is based on consent or on a contract; and
(b) the processing is carried out by automated means.
9.2 The data subject may also request the direct transfer of personal data between controllers.
9.3 The exercise of the right to data portability shall be without prejudice to Article 17 of the Regulation (Right to erasure (“right to be forgotten”). The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.
The detailed rules are set out in Article 20 of the Regulation.
10. The right to object
10.1 The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data based on the public interest, the performance of a public task (Article 6(1)(e)) or a legitimate interest (Article 6(f)), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
10.2 Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.
10.3 These rights must be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information must be clearly displayed separately from any other information.
10.4 The data subject may exercise the right to object by automated means based on technical specifications.
10.5 Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The relevant rules are set out in the Regulation.
11. Automated decision-making in individual cases, including profiling
11.1 The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
11.2 This right does not apply if the decision:
(a) necessary for the conclusion or performance of a contract between the data subject and the controller;
(b) permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
(c) based on the explicit consent of the data subject.
11.3 In the cases referred to in points (a) and (c) above, the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.
Further rules are set out in Article 22 of the Regulation.
12. Restrictions
Union or Member State law applicable to a controller or processor may limit the scope of rights and obligations (Articles 12 to 22, 34 and 5 of the Regulation) by legislative measures, if the limitation respects the essential content of fundamental rights and freedoms,
The conditions for this restriction are set out in Article 23 of the Regulation.
13. Informing the data subject of the personal data breach
13.1 Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. This information shall clearly and plainly describe the nature of the personal data breach and shall include at least the following:
(a) the name and contact details of the Data Protection Officer or other contact person who can provide further information;
(c) describe the likely consequences of the data breach;
(d) describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
13.2 The data subject need not be informed if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
(b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
c) the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or by a similar measure ensuring that the data subject is informed in an equally effective manner.
Further rules are set out in Article 34 of the Regulation.
14. Right to lodge a complaint with a supervisory authority (right to official redress)
The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation. The supervisory authority with which the complaint has been lodged must inform the data subject of the procedural developments concerning the complaint and of the outcome of the complaint, including the right of the data subject to judicial remedy.
These rules are set out in Article 77 of the Regulation.
15. Right to an effective judicial remedy against the supervisory authority
15.1 Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her.
15.2 Without prejudice to other administrative or non-judicial remedies, any data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint lodged or of the outcome of the complaint.
15.3 Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
15.4 If proceedings are brought against a decision of the supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall send the opinion or decision to the court.
These rules are set out in Article 78 of the Regulation.
16. Right to an effective judicial remedy against the controller or processor
16.1 Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, any data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.
16.2 Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.
These rules are set out in Article 79 of the Regulation.
Done at Budapest (Hungary), 2024. 04. 01.
