+36 70 389 5841 info@my-med.eu

DATA MANAGEMENT INFORMATION ON THE PROCESSING OF PERSONAL DATA

By starting to use the website, the Data Subject accepts the conditions contained in this Data Management Information Sheet, therefore please read this Data Management Information Sheet carefully before starting to use the website, request an offer, make a complaint or make any other contact.

My Med Ltd. (hereinafter referred to as the Data Controller) hereby publishes the Data Management Information regarding data processing related to the website under the following domains:

https://www.my-med.eu/

 

https://www.myfiller.eu/

 

https://www.revitalize.eu/

 

https://www.ohcreams.eu/

 

https://www.beautyjourney.eu/

The Data Management Information applies to the processing of messages submitted through the mentioned websites and the handling of personal data recorded in the applications.

Withdrawal of consent to data processing does not have any adverse consequences. However, withdrawal of consent does not render the data processing prior to the withdrawal illegal or invalid. Therefore, the Data Controller cannot be held responsible for content and personal data shared by third parties on web platforms outside the Data Controller’s jurisdiction that may have been previously published and cannot be deleted by the Data Controller.

Data processing means any operation that is performed on data, in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking, erasing and destroying the data, as well as preventing their further use, taking photos and making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples and iris scans). (Source: Act CXII of 2011 on the right to informational self-determination and on the freedom of information)

I. The details of the Data Controller

 Data controller: My Med Ltd.

 Headquarters: 2097 Pilisborosjenő, Téglagyári street 5-11.

 Mailing address: 2097 Pilisborosjenő, Téglagyári street 5-11.

 E-mail: Info@my-med.eu

 Telephone: +36-70/389-5841

 Tax number: 25708956-2-13

 Company registration number: 13 09 226394

 Contact person: Viktória Szabó-Iglár

 Hosting provider: https://www.auba.it

II. Legal basis for data processing:

The legal regulations regarding the Data Controller’s activities include, but are not limited to:

 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

 Act CXII of 2011 on the right to informational self-determination and on the freedom of information;

 Act V of 2013 on the Civil Code;

 Act CVIII of 2001 on certain issues related to electronic commerce services and information society services

 Act CLV of 1997 on consumer protection;

 Act CLXV of 2013 on complaints and public-interest reports;

 Act CVIII of 2001 on certain aspects of electronic commerce services and information society services;

 Act C of 2000 on Accounting;

 Act CLIV of 1997 on healthcare;

 Act XLVII of 1997 on the processing and protection of health and related personal data pursuant to the amendment of Act LXXII of 1999

III. Contact:

 Data Protection Officer (DPO): Viktória Szabó-Iglár;

 Telephone: +36-30/390-7930

 E-mail: gdpr@my-med.hu

IV. The exact scope of the managed data and the purpose of the data management

 Name;

 phone number;

 e-mail;

 Country of Origin;

 Photo.

The data controller manages personal data belonging to the following categories:

 contact details: data subject’s name, telephone number, electronic mail address, postal address;

 natural personal identification data: name of the data subject, mother’s name, photograph, as well as place and time of birth.

V. Legal basis and duration of data management

 Pursuant to Article 6 (1)(a) of the GDPR, the legal basis for data processing is the voluntary consent of the data subject.

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Data management period: 15 days after receipt of withdrawal of consent (technical deletion deadline), except in the case of a contract.

 Based on Article 6(1)(b) of the GDPR for the preparation and performance of a contract.

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Data management period: 5 years following the completion of the contract.

 Pursuant to Article 6(1)(f) of the GDPR, necessary for the legitimate interests of the Data Controller.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Data management period: 5 years after the resolution of the complaint (until the expiration of the civil law statute of limitations)

VI. Areas excluded from data management

The Data Controller does not manage data that is not collected from the Data Subject. The Data Subject can only provide their own personal data on the website or when using the contact 4

information provided by the Data Controller on the website. If the data provider does not provide their own personal data, it is their obligation to obtain the consent of the Data Subject.

VII. Contact for complaints or other purposes

Personal data will be deleted simultaneously with the cessation of the purpose of data processing or immediately upon the request of the Data Subject, except for data that the Data Controller is obliged to retain for a specified period by a statutory obligation requiring mandatory data processing. In the case of complaint management, according to Section 17/B of Act CLV of 1997 on consumer protection, the record of oral complaints, written complaints, and responses provided by the Data Controller must be retained for a period of 5 (five) years.

Through the contact information provided on https://www.my-med.eu/, the Data Subject has the opportunity to contact the Data Controller in order to request an offer, submit a complaint or make contact for other purposes. In doing so, the following personal data is provided to the Data Controller:

 full name;

 e-mail address;

 phone number;

 mailing address.

In case of a verbal complaint, if the complaint could not be remedied immediately, the Data Controller creates a report containing the following information:

 name;

 home address;

 location, time, method, subject and content of complaint;

 unique identification number of the complaint.

The provision of personal data in the case of a complaint is required by law, while in the case of inquiries or other purposes, it is based on the Data Subject’s own decision. Failure to provide data in these cases will result in the impossibility of exchanging messages, maintaining contact, preparing and sending responses to inquiries or providing quotations, and conducting a comprehensive investigation into the complaint.

VIII. Data security

The Data Controller undertakes to ensure the security of the data, to take the technical and organizational measures and to establish the procedural rules that ensure that the recorded, stored and managed data are protected, as well as to prevent their destruction and unauthorized use and unauthorized alteration. It also undertakes to call on all third parties to whom the data is forwarded or transferred based on the Data Subject’s consent to comply with the requirement of data security.

The Data Controller ensures that unauthorized individuals cannot access, disclose, transmit, modify, or delete the processed data. Only the Data Controller, its employees, and the Data 5

Processor engaged by it may have access to the processed data; it will not be disclosed to any third party without the authorization to access the data.

The Data Controller takes all necessary measures to prevent the accidental damage or destruction of the data. The commitment mentioned above is imposed by the Data Controller on its employees participating in the data processing activities.

Under no circumstances does the Data Controller collect special categories of data, i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data for the purpose of uniquely identifying individuals, health-related data, or data concerning the sexual life or sexual orientation of natural persons.

IX. Scope of persons authorized to access personal data, data processing

The Data Controller reserves the right to engage a data processor in its data processing activities in the future, and this information will be communicated to the Data Subjects through the modification of this Data Processing Information.

In the absence of explicit legal provisions, the Data Controller only transfers data suitable for personal identification to third parties with the explicit consent of the Data Subject.

X. Enforcement of the Data Subject’s rights

The Data Subject can send their request for the enforcement of rights to the Data Controller through any of the contact information provided above.

The Data Controller promptly, and no later than one month from the receipt of the request, informs the Data Subject about the measures taken in response to their request. If necessary, taking into account the complexity of the request and the number of requests, this period can be extended by an additional two months. The Data Controller informs the Data Subject about the extension of the deadline within one month of receiving the request, providing the reasons for the delay. If the Data Subject has submitted the request electronically, the information should, if possible, be provided electronically unless the Data Subject requests otherwise.

If the Data Controller does not take immediate action on the Data Subject’s request, they inform the Data Subject, without undue delay but no later than one month from the receipt of the request, about the reasons for not taking action and about the possibility of filing a complaint with a supervisory authority and exercising the right to judicial remedy.

In response to the Data Subject’s request, the information, notification, and any measures taken must be provided free of charge. If the Data Subject’s request is clearly unfounded or, especially due to its repetitive nature, excessive, the Data Controller may charge a reasonable administrative fee or refuse to act on the request, taking into account the administrative costs associated with providing the requested information or notification or taking the requested 6

action. The burden of proving that the request is clearly unfounded or excessive rests with the Data Controller.

The Data Controller undertakes to inform every recipient about the correction, erasure, or restriction of processing of personal data unless this proves impossible or involves disproportionate effort. Upon the Data Subject’s request, the Data Controller informs them about these recipients.

XI.1. Access to personal data

Upon the request of the Data Subject, the Data Controller provides information on whether they process personal data concerning the Data Subject. If so, the Data Controller grants access to the Data Subject’s personal data and informs them about the following information:

 Purpose(s) of data management;

 types of personal data involved in data management;

 Legal basis and recipients of the data transfer, if the Data Subject’s personal data is transmitted;

 Planned duration of the data processing;

 Data Subject’s rights regarding the correction, deletion, and restriction of data processing, as well as the right to object to the processing of personal data;

 Possibility to contact the supervisory authority;

 Source of the data;

 Essential information about profiling;

 Name, address, and activities related to data processing of data processors.

XI.2. Correction of processed data

The Data Subject can request the correction of inaccurate personal data or the completion of incomplete data with due consideration to the purpose of data processing. The data controller will carry out the correction without undue delay.

XI.3. Deletion of processed data (right to be forgotten)

The data subject may request that the Data Controller delete their personal data without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

a) the personal data are no longer needed for the purposes for which they were collected or otherwise processed;

b) the Data Subject withdraws their consent and there is no other legal basis for the data processing;

c) the Data Subject objects to the handling of their personal data;

d) the processing of personal data has been unlawfully carried out;

e) the deletion of personal data is required to fulfill a legal obligation under Union or Member State law applicable to the Data Controller;

f) the collection of personal data is based on consent regarding the offering of information society services to children.

If the Data Controller has made the personal data public (made it accessible to third parties) and is obligated to delete it based on the above, taking into account the available technology and the cost of implementation, they must take reasonable steps to inform other data controllers processing the personal data to erase any links to or copies or reproductions of that personal data requested by the Data Subject.

Personal data does not need to be deleted in cases where data management is necessary for:

• exercising the right to freedom of expression and information;

• fulfilling an obligation laid down by Union or Member State law to which the Data Controller is subject, or in the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

• protecting public health on the grounds of public interest;

• archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, to the extent that the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

• the establishment, exercise, or defense of legal claims.

XI.4. Limitation of data management

The Data Subject has the right to request that the Data Controller to restrict the processing of personal data instead of correcting or deleting it, if one of the following conditions is met:

• The data subject disputes the accuracy of the personal data, in which case the restriction applies for a period that allows the Data Controller to verify the accuracy of the personal data;

• The processing is unlawful, and the data subject opposes the deletion of the data, instead requesting the restriction of their use;

• The Data Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or

• The data subject has objected to the processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.

If data management is subject to restrictions, such personal data may only be processed with the consent of the Data Subject, with the exception of storage, or to establish, enforce or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

The Data Controller informs the Data Subject, at whose request the data processing was restricted, in advance of the lifting of the restriction.

XI.5. Right to protest 8

The Data Subject may object to the processing of their personal data under the following circumstances:

 it is of public interest or necessary for the execution of a task performed in the context of the exercise of public authority vested in the Data Controller;

 it is necessary to enforce the legitimate interests of the Data Controller or a third party.

In the event of a protest by the data subject, the Data Controller may no longer process the personal data, unless it proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the Data Subject, or that are related to the establishment, exercise or defense of legal claims.

If personal data is processed for the purpose of direct business acquisition, the data subject has the right to object at any time to the processing of their personal data for this purpose. If the Data Subject objects to the processing of personal data for the purpose of direct business acquisition, then the personal data may no longer be processed for this purpose.

XI.6. Right to restrict

The data subject can request the Data Controller to restrict the processing of their data through the provided contact information. The requested data will be restricted until the reason specified by the data subject necessitates it. The restriction of data will be carried out promptly upon the data subject’s request, but no later than within 30 days.

XII. Remedies

The Data Controller does everything possible to ensure that personal data is handled in accordance with the law, however, if the Data Subject feels that this has not been complied with, they have the option to write to the Data Controller at any of the contact points mentioned above.

If the data subject believes that their right to the protection of personal data has been violated, they can seek remedies from competent authorities under the relevant regulations:

If the data subject believes that the Data Controller has violated the applicable data protection requirements in the processing of their personal data, they can:

 lodge a complaint with the Data Controller;

 initiate an investigation through a complaint to the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa street 9-11., postal address: 1363 Budapest, Pf.: 9.; e-mail: ugyfelszolgalat@naih.hu, website: www.naih .hu), or

My Med Kft | Téglagyári út 5-11, 2097, Pilisborosjenő, Hungary
Tel.: +36 70 389 5841 | Info@my-med.eu