Data protection information

1. Purpose of the prospectus

The purpose of this information notice is to set out

Bio Factor Ltd
Represented by: Andreieva Olena
Tax number: 28954527-2-41
Company registration number: 01-09-377159
Address: 1028 Budapest, Gazda utca 19.
Website: www.inglow.hu
Email: info@inglow.hu
Phone: +36/30-553-0006

hereinafter referred to as – the data protection and data management policy applied by the Data Controller, and that, in relation to the processing of personal data, the data subjects are subject to the processing of personal data at: www.inglow.hu
visitors to the website (hereinafter referred to as the Website) and other data subjects are properly informed about the processing of their personal data.

In formulating these rules, the Data Controller has taken particular account of.

  • the Fundamental Law;
  • on the right of information self-determination and freedom of information of 2011. Act CXII of 2006 (hereinafter: Info tv.);
  • the Civil Code 2013. Act V of 2007 (hereinafter referred to as the “Civil Code”);
  • for the protection of individuals with regard to automatic processing of personal data, Strasbourg, 28 January 1981. 1998 on the proclamation of the Convention of the Protection of the Rights of All Migrant Workers. VI. law;
  • Regulation 2016/679 of the European Parliament and of the Council (GDPR Regulation);

2. Definitions used in the prospectus

Data processing: the performance of technical tasks related to data processing operations;

Data processing: any operation or set of operations which is performed upon data, regardless of the method used, in particular collection, recording, recording, organisation, storage, alteration, use, consultation, disclosure, transmission, alignment
or interconnection, blocking, erasure and destruction of data, as well as the prevention of their further use, the taking of photographs, audio or video recordings;

Data controller: a natural or legal person or a company with legal personality who, alone or jointly with others, determines the purposes for which the data are processed, takes and implements decisions regarding the processing (including the means used) or has them implemented by a processor on its behalf;

Transfer: making data available to a specified third party;

Data erasure: the rendering of data unrecognisable in such a way that it cannot be recovered;

Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Third party: a natural or legal person or any other body which is not the same as the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, process the personal data
have been authorised;

Contribution: a voluntary and explicit expression of the Data Subject’s wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, whether in full or in relation to specific operations; Personal Data: Data that can be associated with a particular natural person, in particular his or her name, identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the conclusions that can be drawn from the data concerning the Data Subject, which are not in the public interest or in the public domain. Personal data includes, among others, name, address, telephone number and e-mail address;

Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the deletion of the processed data.

3. Data processing principles

The data processing carried out by the Data Controller complies with the GDPR and the Infotv. data management principles, which are:

Principles of lawfulness, fairness and transparency: personal data must be processed lawfully and fairly and in a transparent manner for the Data Subject.

Purpose limitation principle: Personal data must be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes.

Data minimisation principle: Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Accuracy principle: Personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay.

Limited Retention Principle: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and Confidentiality Principle: Personal data must be processed in a way that ensures adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.

Accountability principle: The Data Controller is responsible for compliance with the Principles and must be able to demonstrate such compliance.

In addition to the principles of data processing, the requirement of adequate information can be identified as a common requirement, as Data Controllers must inform Data Subjects of the processing for any legal basis for processing.

4. Scope of data processed, purpose, legal basis and duration of data processing

4.1 Contacting us via the websites

The Data Subject has the possibility to contact the Data Controller through the Website operated by the Data Controller and through the contact telephone number (+36/30-553-0006).

Data subject to processing: the name and email address of the Data Subject, telephone number and other personal data voluntarily provided by the Data Subject in the email

Purpose of processing: to establish contact between the Data Subject and the Controller

Legal basis for processing: the Data Subject’s consent – the Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes (GDPR
Regulation 6. Article 2(1)(a))

4.2 Social media presence

The Data Controller is present on the social networking sites Facebook, TikTok and Instagram. Contacting, contacting, following, and other operations permitted by the social networking site with the Data Controller through social networking sites are based on voluntary consent.

Social networking sites operated by the Data Controller:

Facebook: https://www.facebook.com/inglowbudapest
Instagram: inglow.budapest
TikTok: @inglow.aesthetics

You can subscribe to content posted on social networking sites by clicking on the “like” or “follow” link.

The purpose of the presence on social networking sites and the related data processing is the sharing, publishing and marketing of content concerning the Data Controller on social networking sites.

Data subject: the Data Subject’s name, picture and other data voluntarily shared about him or herself are visible

Purpose of data processing: contacting, informing about current information, news concerning the Data Controller

Legal basis for processing: the Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes – GDPR 6. Article 2(1)(a)

Duration of processing: the Data Subject can unsubscribe from the social media interfaces of the Data Controller in the way used on the social media site (opt-out, unsubscribe, etc.) or delete unwanted messages on the message board using the settings of the message board.

4.3. Cookies

A cookie is a small text file that is stored on the hard drive of the Data Subject’s computer or mobile device for the expiry period set in the cookie and is reactivated on subsequent visits. Its purpose is to record information about the visit and the personal
preferences, but these are not personally identifiable information about the visitor. It helps to design a user-friendly website and to enhance the online experience of the Data Subject. If the Data Subject does not consent to the Data Processor using cookies when the Data Subject browses the website, the website may not function fully.

Data subject: the Data Controller will store all analytical information without name or other personal data

Purpose of processing: storage of the Data Subject’s personal preferences

Legal basis for processing: the Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes – GDPR 6. Article 2(1)(a)

Duration of processing: the Data Subject can delete the cookies stored on his/her computer or mobile phone at any time through the settings of his/her browser

4.4. Lotteries

The Data Controller may occasionally advertise prize draws on the Website and on social networking sites, which involve the processing of the personal data of the participants as Data Subjects.

Data subject: the Data Subject’s email address, name and, in the case of certain prize draws, other personal data

Purpose of processing: the participation of the Data Subject in the prize draw

Legal basis for processing: the Data Subject has given consent to the processing of one or more of his or her personal data
for a specific purpose – GDPR 6. Article 2(1)(a)

Duration of processing: if their further processing is no longer justified, they will be deleted immediately

4.5. Newsletter service

The Data Controller also keeps in touch with the Data Subjects by means of a newsletter, to whom – if they subscribe.
recommends your products, informs you about news and promotions related to its operations
them.

Data subject: scope of the data The email address of the Data Subject

Purpose of processing: to inform the Data Subject of relevant information about the Data Controller

Legal basis for processing: the Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes – GDPR 6. Article 2(1)(a)

Duration of data processing: until unsubscription from the newsletter, which can be cancelled by clicking on the “unsubscribe” link at the bottom of the newsletter.

5. Data processors

The following processor may have access to certain categories of personal data as necessary, subject to the relevant data management principles.

Data processor name: Google Ireland Limited
Contact: Ireland, Gordon House, Barrow Street Dublin 4.
Tasks: Google Analytics

Data Processor Name: Meta Platforms Ireland Limited
Contact: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Tasks: Facebook Instagram Customer Service (Facebook messenger)

Data Processor Name: The Rocket Science Group LLC (Mailchimp)
He can be reached at 675 Ponce De Leon Ave NE 5000, Atlanta, GA 30308, United States,
Tasks: newsletter service

Data Processor Name: MEDIACENTER HUNGARY Informatikai, Szolgáltató és Üzemeltető Korlátolt Felelősségű Társaság
Contact: 6000 Kecskemét, Erkel Ferenc utca 5.
Tasks: storage service provider

Data processor name: POSITIVE DESIGN INTERNATIONAL SRL
Contact: Sfantu Gheorghe, Covasna, Str. Nicolae Iorga 18 B
Tasks: IT service provider

The typical activity of Processors in relation to data processing is the provision of technical support. Processors may not make any substantive decisions regarding data processing, may process personal data of which they become aware only in accordance with the provisions of the Controller, may not process personal data for their own purposes, and must store and retain personal data in accordance with the provisions of the Controller.

You can find the Facebook Privacy Policy at the link below:
https://www.facebook.com/privacy/explanation

Google’s privacy policy can be found at the following link:
https://policies.google.com/privacy?hl=hu

MEDIACENTER HUNGARY Kft. you can find our privacy notice at the link below:
https://www.mediacenter.hu/doc/adatvedelmi_szabalyzat.pdf

You can find the Instagram Privacy Policy at the link below:
https://help.instagram.com/519522125107875

TikTok’s privacy policy can be found at the link below:
https://www.tiktok.com/legal/page/eea/privacy-policy/hu

In the framework of the Data Controller’s data processing activities, the Data Controller shall comply with GDPR 13. No automated decision-making or profiling pursuant to Article 3(2)(f) will take place.

6. Data transmission

As a general rule, the Data Controller will not transfer personal data processed by it to third parties, unless the Data Subject has given his or her explicit consent or unless required by law.

7. Data security

The Controller stores the personal data referred to above at its headquarters or in its IT system.

The Data Controller undertakes to ensure the security of the data in accordance with the provisions of the GDPR and the Infotv.

In the operation of IT systems, the necessary access control, internal organisation and technical solutions ensure that data cannot be accessed by unauthorised persons, deleted, deleted from the system or modified by unauthorised persons. The data controller shall also enforce data protection and data security requirements in relation to data processors.

It keeps records of any data protection incidents and, if necessary, informs the Data Subject and, if necessary, the National Authority for Data Protection and Freedom of Information (NAIH) of the incidents that occur.

Access to personal data is only granted to persons acting in the interest of the controller, who need it for the performance of their activities and who are aware of the obligations relating to the processing of the data and are familiar with them.

The Data Controller undertakes to ensure the security of the data using the most up-to-date and appropriate equipment and security rules, in particular to ensure that the data are not accessed by unauthorised persons or unlawfully disclosed, deleted or destroyed. It will do its utmost to ensure that the data is not accidentally damaged or destroyed. The above commitment is also required by the controller for its employees involved in the processing activity.

Under no circumstances will the Data Controller collect special data, i.e. data concerning racial or ethnic origin, membership of national or ethnic minorities, political opinions or party affiliations, religious or philosophical beliefs, membership of representative associations, health, pathological addiction, sex life or criminal records.

8. Rights of the Data Subject in the course of data processing

During the period of processing, the Data Subject shall have the following rights:

Right to information
The Data Controller must provide information in a reasonable way, in simple and accessible language that is easy to find (online or offline), on the relevant aspects of the processing. At the time of obtaining the personal data, or where the data subject subsequently requests information, the data subject shall be provided with the Privacy Notice and shall be asked to sign a declaration of acknowledgement, understanding and acceptance of the information contained therein.

The Data Subject has the right to request information at any time about the personal data concerning him or her processed by the Data Controller. Information can also be requested by e-mail, post or telephone at the e-mail address indicated in the information notice on the processing. The Data Controller shall provide the requested information within 30 days of the request.

Right to erasure
The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data relating to him or her without undue delay, and the Data Controller shall be obliged to erase personal data relating to the Data Subject without undue delay. Where the controller has given third parties access to the data to be deleted, it must inform all those to whom it has disclosed the data concerned to delete any references to or personal data held by them. The purpose is to ensure that, unless there is a legal or reasonable obstacle, the data concerned “disappear” from the databases that can be found.

The erasure need not be carried out if the processing is

  • necessary for the exercise of freedom of expression or the right to information;
  • necessary for the establishment, exercise or defence of legal claims;
  • necessary to comply with a legal obligation;
  • is necessary for archiving purposes in the public interest, scientific or historical research, statistical purposes and the deletion of the data would make it impossible or seriously jeopardise the purpose of the processing.

The Data Controller shall also delete personal data contained in its records relating to the data subject where the purpose for which the personal data were processed has ceased to exist.

In the case of paper documents, their destruction must be recorded in a protocol, in order to ensure that the competent authority is informed of the fact that they have been destroyed.
to prove.

Right to rectification of data:
The Data Subject may indicate that the data processed are inaccurate and request that they be replaced by what is indicated. The Data Controller is responsible for the accuracy of the data, so it is necessary to check its accuracy from time to time.

Right to restriction of processing:
The Data Subject may request the Controller to restrict the processing of his or her personal data, for example in the event of an unclear, contentious situation. If the processing is restricted, such personal data, except for storage, may only be processed with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

Right to data portability:
The Data Subject may request to receive the data processed concerning him or her in a structured, commonly used, machine-readable format (e.g. .doc, .pdf, etc.) and has the right to transmit these data to another controller without hindrance from the original controller. It makes it easier for data subjects to transfer their personal data from one controller to another.

Right to object
The Data Subject has the right to object at any time to the processing of his or her personal data for a specified reason, unless he or she has given his or her consent.

If the Data Subject wishes to exercise his or her rights, this will involve identification and communication with the Data Subject by the Data Controller as necessary, and therefore personal data will be required for identification (but identification will only be based on data that we already process about you) and your complaints about the processing will be available in our email account for the period of time specified in this notice in relation to complaints.

The Data Controller shall respond to complaints about the processing without delay and at the latest within 30 days.

9. Remedies

The Data Subject is entitled to lodge a complaint with the NAIH (1055 Budapest, Falk Miksa u. 9-11; www.naih.hu, Phone: +36 (1) 391-1400, Fax: +36 (1) 391-1410, E-mail: ugyfelszolgalat@naih.hu) or by contacting the Hungarian Civil Procedure Act 2016. CXXX. to enforce his or her rights concerning the processing of personal data before a court of competent jurisdiction under the law.

10. Final provisions

If, however, we intend to carry out further processing of the data collected for purposes other than those for which they were collected, we will inform the Data Subject prior to the further processing of the data of the following.
the purposes of the processing.

Data processing may only start after that, if the legal basis for the processing is consent, the Data Subject must also consent to the processing in addition to the information.

The Data Controller reserves the right to change this Policy or to amend it accordingly in the event of changes in European Union or Hungarian legislation.

This Privacy Notice 2023. month of July 1. is valid from.