Amendment No.:
2018–2026
Árgyó Balázs Sole Proprietor
This policy is reviewed and maintained every 3 years, depending on changes in legislation.
Entered into force: 15 May 2026
Applicable from: 15 May 2026
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter referred to as the Regulation, requires the Data Controller to take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Data Controller is also required to facilitate the exercise of the data subject’s rights.
The obligation to provide prior information to the data subject is also prescribed by Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information.
By providing the information below, we comply with this legal obligation. This notice must be published at the Company’s premises or sent to the data subject upon request.
Name / Company name:
Árgyó Balázs Sole Proprietor
Registered seat:
2640 Szendehely, Mező utca 32.
Tax number:
48377638-1-32
Postal address:
2640 Szendehely, Mező utca 32.
NAIH registration number:
58700383
Hereinafter referred to as the Company.
A data processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller; Article 4(8) of the Regulation.
The prior consent of the data subject is not required for the use of a data processor, but the data subject must be informed. Accordingly, we provide the following information.
In order to fulfil its tax and accounting obligations, our Company uses an external service provider under an accounting services contract. This service provider also processes the personal data of natural persons who have a contractual or payer relationship with our Company, for the purpose of fulfilling the tax and accounting obligations of our Company.
Name / Company name: Róna Julianna Sole Proprietor
Registered seat: 1144 Budapest, Ond vezér útja 37.
Tax number: 6069271-1-42
Postal address: same as above
Representative: Róna Julianna
These data processors receive from our Company the personal data necessary for the delivery of the ordered product, including the data subject’s name, address and phone number, and use these data to deliver the product.
Service provider: Magyar Posta
The hosting provider does not perform data processing tasks, but provides space on its web server for the website edited by me, http://www.fiziosende.hu, for the duration of the contract. It does not save or list e-mail addresses or visitors’ URLs.
Rackhost Zrt. hereinafter referred to as Data Controller
Registered seat: 6722 Szeged, Tisza Lajos körút 41.
Company registration number: 06-10-000489
Tax number: 25333572-2-06
Website: www.rackhost.hu
E-mail: info@rackhost.hu
The service provider’s privacy statement is attached separately.
The company operating the appointment booking system provides the registration of appointments for various healthcare services, the collection of data required for invoicing, and the data necessary for maintaining contact.
Name: booked4.us Kft.
Registered seat: H-2600 Vác, Zichy H. utca 12.
Representative: Péter Balogh
Company registration number: 13-09-198371
Tax number: 26668901-2-13
Data protection contact person: Péter Balogh
E-mail: data-control@booked4.us
Phone number: +36 1 998 9123
The service provider’s privacy statement is attached separately.
(1) Only such data may be requested from and recorded about employees, and only such occupational medical fitness examinations may be carried out, as are necessary for the establishment, maintenance and termination of employment, and for the provision of social and welfare benefits, provided that they do not violate the employee’s personal rights.
(2) On the legal basis of enforcing the legitimate interests of the employer, Article 6(1)(f) of the Regulation, the Company processes the following data of the employee for the purpose of establishing, performing or terminating employment:
(3) Data relating to illness and trade union membership may only be processed by the employer for the purpose of fulfilling a right or obligation specified in the Labour Code.
(4) Recipients of the personal data: the employer’s manager, the person exercising employer rights, employees and data processors of the Company performing labour-related tasks.
(5) Only the personal data of executive employees may be transferred to the owners of the Company.
(6) Duration of storage of personal data: 3 years after the termination of employment.
(7) Before the start of data processing, the data subject must be informed that the processing is based on the Labour Code and the enforcement of the employer’s legitimate interests.
(1) Only such fitness examinations may be applied to an employee that are prescribed by rules relating to employment, or that are necessary for exercising a right or fulfilling an obligation defined by employment-related rules. Before the examination, employees must be informed in detail, among other things, about what skill or ability the fitness examination is intended to assess, and by what tool or method the examination is carried out. If the examination is required by law, employees must also be informed of the title of the legislation and the exact legal provision.
(2) Test forms aimed at assessing work fitness or preparedness may be completed by employees both before the establishment of employment and during the employment relationship.
(3) Psychological or personality tests may only be completed by a larger group of employees for purposes clearly related to employment, such as improving or organising work processes more effectively, if the data revealed during the analysis cannot be linked to specific individual employees, meaning that the data are processed anonymously.
(4) Scope of personal data that may be processed: the fact of occupational fitness and the conditions necessary for it.
(5) Legal basis of data processing: the employer’s legitimate interest.
(6) Purpose of processing personal data: establishment and maintenance of employment and filling a job position.
(7) Recipients or categories of recipients of personal data: the results of the examination may be known by the employees examined and the professional conducting the examination. The employer may only receive information on whether the examined person is fit for the job or not, and what conditions must be provided for this. However, the employer may not access the details or full documentation of the examination.
(8) Duration of processing personal data: 3 years after the termination of employment.
(1) Scope of personal data that may be processed: name, date and place of birth, mother’s name, address, qualification data, photograph, phone number, e-mail address, and employer’s notes about the applicant, if any.
(2) Purpose of processing personal data: assessment of the application and conclusion of an employment contract with the selected applicant. The data subject must be informed if they have not been selected for the given position.
(3) Legal basis of data processing: the consent of the data subject.
(4) Recipients or categories of recipients of personal data: the manager entitled to exercise employer rights at the Company and employees performing labour-related tasks.
(5) Duration of storage of personal data: until the application is assessed. The personal data of applicants who are not selected must be deleted. The data of applicants who withdraw their application must also be deleted.
(6) The employer may retain applications only on the basis of the data subject’s explicit, clear and voluntary consent, provided that retention is necessary for achieving a lawful data processing purpose. Such consent must be requested from applicants after the recruitment procedure has been closed.
(1) On the legal basis of contract performance, the Company processes the following data of natural persons contracted with it as customers or suppliers for the purpose of concluding, performing or terminating the contract, or granting contractual benefits:
name, birth name, date of birth, mother’s name, address, tax identification number, tax number, entrepreneur’s or primary producer’s certificate number, identity card number, registered seat or site address, phone number, e-mail address, website address, bank account number, customer number, order number, online identifier, customer and supplier lists, and loyalty customer lists.
This data processing is also lawful if the processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.
Recipients of the personal data: employees of the Company performing customer service tasks, employees performing accounting and tax-related tasks, and data processors.
Duration of processing personal data: 5 years after the termination of the contract.
(2) Before data processing begins, the data subject must be informed that the data processing is based on the performance of a contract. This information may also be included in the contract.
(3) The data subject must be informed about the transfer of their personal data to a data processor.
(1) Scope of personal data that may be processed: name, address, phone number, e-mail address and online identifier of the natural person.
(2) Purpose of processing personal data: performance of the contract concluded with the Company’s legal entity partner and maintaining business contact. Legal basis: consent of the data subject.
(3) Recipients or categories of recipients of personal data: employees of the Company performing customer service tasks.
(4) Duration of storage of personal data: 5 years after the end of the business relationship or the representative status of the data subject.
(1) Cookies are short data files placed on the user’s computer by the visited website. The purpose of cookies is to make the given information and communication technology or internet service easier and more convenient to use. There are many types of cookies, but they can generally be divided into two main categories. One is the temporary cookie, which is placed on the user’s device by the website only during a given session, for example during secure identification for internet banking. The other type is the persistent cookie, such as a website language setting, which remains on the computer until the user deletes it. Based on the guidelines of the European Commission, cookies, except those that are strictly necessary for the use of the given service, may only be placed on the user’s device with the user’s permission.
(2) In the case of cookies that do not require the user’s consent, information must be provided during the first visit to the website. It is not necessary for the full text of the cookie notice to appear on the website; it is sufficient for the website operator to briefly summarise the essence of the notice and refer to the full notice through a link.
(3) In the case of cookies requiring consent, the notice may also be linked to the first visit to the website if the data processing associated with the use of cookies begins upon visiting the site. If the use of cookies is related to a function expressly requested by the user, the notice may also appear in connection with the use of that function. In this case, it is also not necessary for the full text of the cookie notice to appear on the website; a brief summary of the essence of the notice and a link to the full notice are sufficient.
(1) In line with generally accepted internet practices, our Company also uses cookies on its website. A cookie is a small file containing a string of characters that is placed on the visitor’s computer when they visit a website. When the visitor returns to the same website, the cookie allows the website to recognise the visitor’s browser.
Cookies may store user preferences, such as the selected language, and other information. Among other things, they collect information about the visitor and their device, remember the visitor’s individual settings, and may be used, for example, when using online shopping carts.
In general, cookies make the website easier to use, help provide users with a genuine web experience, and serve as an effective source of information. They also enable the website operator to monitor the operation of the website, prevent misuse, and ensure the smooth and proper provision of the services available on the website.
(2) During the use of the website, our Company records and processes the following data about the visitor and the device used for browsing:
(3) Accepting and enabling the use of cookies is not mandatory. You may reset your browser settings to reject all cookies or to notify you when a cookie is being sent. Although most browsers automatically accept cookies by default, these settings can usually be changed in order to prevent automatic acceptance and to offer the option of choice each time.
(4) The cookies used on the website are not, in themselves, suitable for identifying the user personally.
(1) On the website, the registering natural person may give consent to the processing of their personal data by ticking the relevant checkbox. Pre-ticking the checkbox is prohibited.
(2) Scope of personal data that may be processed: name of the natural person, surname and first name, address, phone number, e-mail address and online identifier.
(3) Purpose of processing personal data:
(4) Legal basis of data processing: consent of the data subject.
(5) Recipients or categories of recipients of personal data: employees of the Company performing tasks related to customer service and marketing activities, and, as data processor, employees of the Company’s IT service provider performing hosting services.
(6) Duration of storage of personal data: for the duration of the registration or service, or until the consent of the data subject is withdrawn, meaning until the deletion request is submitted.
(1) At our Company’s premises and in rooms open to customer reception, the Company uses an electronic surveillance system for the protection of human life, physical integrity, personal freedom, business secrets and property protection. This system may enable image, audio, or image and audio recording. On this basis, the behaviour of the data subject recorded by the camera is also considered personal data.
(2) The legal basis of this data processing is the enforcement of the employer’s legitimate interests and the consent of the data subject.
(3) A clearly visible and legible warning sign and information notice must be placed in a manner that helps third parties wishing to enter the area to become informed about the use of the electronic surveillance system in the given area. Information must be provided for each camera. This notice must include information on the fact of surveillance carried out by the electronic property protection system, the purpose of making and storing image and audio recordings containing personal data recorded by the system, the legal basis of data processing, the place and duration of storage of the recordings, the person using and operating the system, the persons entitled to access the data, and the rights of the data subjects and the procedure for enforcing those rights.
(4) Image and audio recordings of third parties entering the monitored area, such as customers, visitors and guests, may be made and processed with their consent. Consent may also be given by implied conduct. Implied conduct includes, in particular, when the natural person enters the monitored area despite the notice informing them about the use of the electronic surveillance system displayed there.
(5) In the absence of use, recorded footage may be stored for a maximum of 3 working days. Use means when the recorded image footage or other personal data is intended to be used as evidence in court or other official proceedings.
(6) A person whose right or legitimate interest is affected by the recording of image, audio, or image and audio footage may, within three working days of the recording, request that the data controller not destroy or delete the data, provided that they prove their right or legitimate interest.
(7) An electronic surveillance system may not be used in any room where surveillance may violate human dignity, in particular in changing rooms, showers, toilets, medical rooms or their waiting rooms, or in rooms designated for employees to spend their work breaks.
(8) If no one may lawfully be present at the workplace, in particular outside working hours or on public holidays, the entire workplace may be monitored, including changing rooms, toilets and rooms designated for work breaks.
(9) In addition to persons authorised by law, the operating staff, the employer’s manager and deputy, and the workplace manager of the monitored area are entitled to view data recorded by the electronic surveillance system for the purpose of detecting infringements and checking the operation of the system.
(1) The Business may process personal data only in accordance with the activities set out in this policy and according to the purpose of data processing.
(2) The Business ensures the security of data and undertakes to take all technical and organisational measures that are essential for enforcing the legal provisions relating to data security, data protection and confidentiality. It also establishes the procedural rules necessary for the enforcement of the above-mentioned legislation.
(3) The technical and organisational measures to be implemented by the Business are aimed at the following:
(4) When determining the appropriate level of security, specific account must be taken of the risks arising from data processing, in particular risks resulting from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed.
(5) The Business protects the data by appropriate measures against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, and against becoming inaccessible due to changes in the technology used.
(6) The Business keeps records of the data it processes in accordance with the applicable laws, ensuring that the data may only be accessed by employees and other persons acting within the Business’s sphere of interest who need access in order to perform their duties.
(7) The Business stores the personal data provided during individual data processing activities separately from other data, with the proviso that, in line with the above, separate data files may only be accessed by employees with the appropriate access rights.
(8) The managers and employees of the Business do not transfer personal data to third parties and take the necessary measures to exclude unauthorised access.
(9) The Business grants access to personal data only to those employees who, with regard to the personal data processed, have undertaken to comply with data security rules by making a confidentiality declaration.
(10) When determining and applying measures serving data security, the Business takes into account the current state of technology and, where several data processing solutions are possible, chooses the solution providing a higher level of protection for personal data, unless this would involve disproportionate difficulty.
(1) With regard to its IT records, the Business takes the following necessary measures to ensure data security:
The Business uses an external IT contractor for the maintenance of computer equipment and the website. Access security to the devices is ensured with a username and password combination, and daily backups are made to an external USB storage device.
(1) The Business takes the necessary measures to protect paper-based records, in particular with regard to physical security and fire protection.
(2) The manager, employees and other persons acting on behalf of the Business are required to securely store and protect any data carriers used by them or in their possession that contain personal data, regardless of the method of recording, against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage.
(3) Data related to various healthcare services are stored on paper, by service type, in a lockable metal cabinet. Data related to individual services may only be used by the person providing the treatment or service. At the request of the data subject, the data are handed over to the data subject, and thereafter only data related to invoicing are processed.
(1) On the legal basis of fulfilling a legal obligation, the Company processes the data specified by law of natural persons entering into business relationships with it as customers or suppliers, for the purpose of fulfilling tax and accounting obligations prescribed by law, including bookkeeping and taxation.
The processed data include, in particular, based on Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax: tax number, name, address and tax status. Based on Section 167 of Act C of 2000 on Accounting: name, address, designation of the person or organisation ordering the economic transaction, the person authorising the transaction and the person confirming its execution, and, depending on the organisation, the signature of the controller; on stock movement documents and cash management documents, the signature of the recipient; on counter-receipts, the signature of the payer. Based on Act CXVII of 1995 on Personal Income Tax: entrepreneur’s certificate number, primary producer’s certificate number and tax identification number.
(2) Duration of storage of personal data: 8 years after the termination of the legal relationship forming the legal basis.
(3) Recipients of personal data: employees and data processors of the Company performing taxation, accounting, payroll and social security tasks.
(1) On the legal basis of fulfilling a legal obligation, the Company processes the personal data prescribed by tax laws of data subjects with whom it has a payer relationship, including employees, their family members, employed persons and recipients of other benefits, for the purpose of fulfilling tax and contribution obligations prescribed by law, including determining tax, tax advances and contributions, payroll, social security and pension administration.
The scope of processed data is defined by Section 50 of Act CL of 2017 on the Rules of Taxation, including in particular the natural identification data of the natural person, including previous name and title, gender, citizenship, tax identification number and social security identification number.
If tax laws attach legal consequences to this, the Company may process employees’ health data and data relating to trade union membership for the purpose of fulfilling tax and contribution obligations, including payroll and social security administration.
(2) Duration of storage of personal data: 8 years after the termination of the legal relationship forming the legal basis.
(3) Recipients of personal data: employees and data processors of the Company performing taxation, payroll and social security payer-related tasks.
(1) On the legal basis of fulfilling a legal obligation, the Company processes documents qualifying as being of permanent value under Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archival Material, for the purpose of preserving the permanently valuable part of the Company’s records intact and in usable condition for future generations.
Data storage period: until transfer to the public archives.
(2) The provisions of the Archives Act apply to the recipients of personal data and other issues of data processing.
The Data Controller informs the data subject without undue delay, and in any case within one month of receipt of the request, about the measures taken following the data subject’s request to exercise their rights.
Where necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller informs the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.
If the data subject submitted the request electronically, the information must be provided electronically where possible, unless the data subject requests otherwise.
If the Data Controller does not take action on the data subject’s request, the Data Controller informs the data subject without delay, and no later than within one month of receipt of the request, of the reasons for not taking action, and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise their right to judicial remedy.
The Data Controller provides the information referred to in Articles 13 and 14 of the Regulation, as well as information and measures relating to the rights of the data subject under Articles 15–22 and 34 of the Regulation, free of charge. If the data subject’s request is clearly unfounded or excessive, in particular because of its repetitive nature, the Data Controller may, taking into account the administrative costs of providing the requested information or taking the requested action:
The Data Controller bears the burden of proving the clearly unfounded or excessive nature of the request.
If the Data Controller has reasonable doubts concerning the identity of the natural person submitting the request, it may request the provision of additional information necessary to confirm the identity of the data subject.
For the sake of clarity and transparency, this chapter briefly summarises the rights of the data subject.
The data subject has the right to receive information about the facts and information related to data processing before data processing begins.
Articles 13–14 of the Regulation.
The data subject has the right to receive confirmation from the Data Controller as to whether their personal data are being processed. Where such processing is in progress, the data subject has the right to access the personal data and the related information specified in the Regulation.
Article 15 of the Regulation.
The data subject has the right to request that the Data Controller rectify inaccurate personal data concerning them without undue delay. Taking into account the purpose of data processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.
Article 16 of the Regulation.
The data subject has the right to request that the Data Controller delete personal data concerning them without undue delay, and the Data Controller is obliged to delete personal data concerning the data subject without undue delay where one of the grounds specified in the Regulation applies.
Article 17 of the Regulation.
The data subject has the right to request that the Data Controller restrict data processing if the conditions specified in the Regulation are met.
Article 18 of the Regulation.
The Data Controller informs each recipient to whom the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort. At the request of the data subject, the Data Controller informs the data subject about these recipients.
Article 19 of the Regulation.
Under the conditions set out in the Regulation, the data subject has the right to receive the personal data concerning them that they have provided to a Data Controller in a structured, commonly used and machine-readable format, and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to whom the personal data were provided.
Article 20 of the Regulation.
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e), processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or Article 6(1)(f), processing necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.
Article 21 of the Regulation.
Detailed rules are provided in the following chapter.
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning them or similarly significantly affect them.
Article 22 of the Regulation.
Union or Member State law applicable to the Data Controller or data processor may restrict, by legislative measures, the rights and obligations laid down in Articles 12–22 and Article 34 of the Regulation, in accordance with the rights and obligations set out in Articles 12–22.
Article 23 of the Regulation.
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller informs the data subject about the personal data breach without undue delay.
Article 34 of the Regulation.
The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the Regulation.
Article 77 of the Regulation.
Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or if the supervisory authority does not handle the complaint or does not inform the data subject within three months about the progress or outcome of the complaint submitted.
Article 78 of the Regulation.
Every data subject has the right to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in breach of the Regulation.
Article 79 of the Regulation.
