(hereinafter: " Information ")

Last modification: April 27, 2023

contents

1. Presentation of the Data Controller, responsibility for compliance with data management rules

1.1. The Data Controller

Heiszler Hair and Beauty Kft. (hereinafter: " Data Controller ") operates the beauty salons called Heiszler Szalon fantasia (hereinafter: "Beauty Salon"), as well as the Website.

1.2. Data management quality

Heiszler Hair and Beauty Kft. is the data controller for those who use the Beauty Salon's treatments, use the Website, place orders and use the Webshop, as well as for the Data Subjects who contact the Data Controller.

In the case of online appointment booking, the Data Controller and Salonic are separately considered independent data controllers in the case of Data Subjects who register in the Salonic electronic system and book an appointment through it.

1.3. Data controller contact details

HEISZLER HAIR AND BEAUTY Limited Liability Company

Headquarters : 1137 Budapest, Pozsonyi út 34.

company registration number : 01-09-387228

phone number : +36 20 227 5156

e-mail address : info@heiszlerszalon.hu

 

2. General provisions

2.1. The purpose, content and related provisions of the Notice

The purpose of this Notice is to provide adequate information regarding the data processing related to the services provided by the Data Controller, as well as to provide information on what data processing rights the Data Subject has and how they can be exercised.

This Notice contains detailed information on data management related to the services provided by the Data Controller, such as booking appointments for treatments, registering and purchasing on the Webshop, and using the Website.

This Notice has been designed in such a way that it complies with:

• on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Directive 95/46/EC, of ​​the European Parliament and the Council (EU) 2016/679 no. of the Decree (general data protection decree, hereinafter: Decree), as well as
• CXII of 2011 on the right to information self-determination and freedom of information. to law.

Please note that in order to use the Website, to register there, and to use our services, you accept the handling of your Personal Data as described in this Notice.

The use of the Website and the use of services, i.e. providing Personal Data, is voluntary for private individuals.

2.2. Concepts

In the Information Sheet, we use many capitalized concepts for easier clarity.

"Personal Data", "Data Controller", "Joint Data Controller", "Data Processor" have the meaning set out in the General Data Protection Regulation. In addition, the following words and expressions have the following meanings:

General Data Protection Regulation / Regulation	European Parliament and Council (EU) 2016 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC /679 decree;
Affected	The following persons are considered affected: - The person booking an appointment for treatments at the Heiszler Salons, as well as the person using the treatment; - A person registering on the Webshop (having a user account) or placing an order through it; - the person using the Website; - the person contacting the Data Controller;
Thessaloniki	the appointment booking system used by the Data Subject or the Data Controller and operated by Salonic International Kft. as the data controller;
Authorities	National Data Protection and Freedom of Information Authority (address: 1055 Budapest, Falk Miksa u. 9.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu );
Infotv.	CXII of 2011 on the right to information self-determination and freedom of information. law;
Partner account	the business account of the Data Controller, which contains the appointment bookings, Contact details, and data relating to the employees of the Data Controller performing the management;
Website	Operated by Shopify International Ltd. (head office: 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland) on behalf of the Data Controller: https://heiszlerszalon.hu/
Web shop	The Data Controller's webshop is available at https://heiszlerszalon.hu/ .

2.3. Rights of the Data Subject

The Data Controller considers it of the utmost importance that, during the processing of the Personal Data of natural persons, the Data Subjects' rights to data processing are properly ensured. In this context, the Data Controller has the following rights in mind. In the case of any request from the data subject arising in connection with the processing of Personal Data, the Data Controller shall ensure the exercise of the data subject's right as soon as possible, but no later than 1 month after receiving the request, or, if additional information is needed to ensure the exercise of the right, immediately contact the With the contact person for the purpose of processing the request by e-mail or phone (if possible, using the same communication method that the person concerned used).

2.3.1. Right to information and access

The Data Subject has the right to receive feedback on any of the Data Controller's contact details indicated in this Notice as to whether his Personal Data is being processed, and if such data processing is in progress, he is entitled to receive access to the Personal Data and the following information:

1. the purposes of data management;
2. categories of Affected Personal Data;
3. the recipients or categories of recipients to whom or to whom the Personal Data has been or will be disclosed, including in particular recipients in third countries and international organizations;
4. the planned period of storage of Personal Data, or if this is not possible, the criteria for determining this period;
5. the Data Subject's right to request from the Data Controller the correction, deletion or restriction of the processing of Personal Data concerning him and to object to the processing of such Personal Data;
6. the right to submit a complaint to a supervisory authority;
7. if the data were not collected from the Data Subject, all available information about their source.

In case of automated data processing based on consent or contract, you can request that your personal data provided to us be transferred to you or - if this is technically possible - to a third party designated by you in a well-known and easy-to-use electronic format (e.g. Word, Excel) .

2.3.2. Right to rectification and addition

The Data Subject has the right to request the correction of his Personal Data managed by the Data Controller if he considers that they do not correspond to reality or are inaccurate. The Data Subject has the right to request the completion of his Personal Data managed by the Data Controller if he considers that they are incomplete.

2.3.3. Right to limitation

The Data Subject has the right to request that the Data Controller restricts data processing - unless otherwise required by law - if one of the following is met:

1. the Data Subject disputes the accuracy of the Personal Data, in which case the limitation applies to the period that allows the data controller to check the accuracy of the Personal Data;
2. the data processing is illegal and the Data Subject opposes the deletion of the data and instead requests the restriction of its use;
3. the Data Controller no longer needs the Personal Data for the purpose of data management, but the Data Subject requires them to present, enforce or defend legal claims; obsession
4. the Data Subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the data controller's legitimate reasons take precedence over the data subject's legitimate reasons.

2.3.4. Withdrawal of consent, right to protest

If the Data Controller's data processing is based on the Data Subject's express request and disclosure, the Data Subject has the right to withdraw his consent at any time. In this case, the Data Controller is obliged to delete the Personal Data of the Data Subject immediately.

If the Data Controller's data is processed for the protection of its own or a third party's legitimate interests or for the purpose of acquiring business, the data subject has the right to object to the processing of their data.

2.3.5. Right to erasure

The Data Subject is entitled to initiate the deletion of his/her Personal Data managed by the Data Controller if:

1. considers that the processing of Personal Data is no longer necessary for the original purpose;
2. you do not consent to the further processing of your Personal Data - if the data processing is based on consent;
3. considers that your Personal Data is being handled unlawfully by the Data Controller;
4. you expressly object to the processing of your Personal Data - if the legal basis of data processing is the protection of the legitimate interests of the Data Controller or a third party.

2.3.6. Legal remedy

If the Data Subject believes that the Data Controller is handling his data illegally, he is entitled to file a complaint with the Data Controller - at any of the above contacts - in order to have it terminated. If this fails, you have the right to appeal to the National Data Protection and Freedom of Information Authority or the court.

Complaints can be submitted to the National Data Protection and Freedom of Information Authority at the following contact details: National Data Protection and Freedom of Information Authority (address: 1055 Budapest, Falk Miksa u. 9-11.; mailing address: 1363 Budapest, Pf.: 9.; phone: +36- 1-391-1400, fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu; website: http://www.naih.hu );

In the case of judicial enforcement, the judgment of the lawsuit falls within the jurisdiction of the Capital Court. At the Data Subject's choice, the lawsuit can also be initiated before the court of his place of residence or residence. If the court approves the request, the Data Controller will delete the data subject's personal data within 3 days from the notification of the final judgment.

2.3.7. Exercise of affected rights

The Data Subject may exercise the aforementioned rights against the Data Controller. Inquiries according to this point can be sent to the Data Controller or made there.

3. Individual data management by the Data Controller

Your Personal Data is owned by natural persons. Any information relating to a specific natural person - "Data Subject" according to the wording of data protection legislation - may be considered Personal Data. Personal Data is, for example, the name, telephone number, email address or health data, if the natural person can be identified based on it.

3.1. Data management related to appointment booking

The Data Subject can make an appointment for treatments provided by the Data Controller in three ways; by phone, in person or online. According to the method of booking the appointment, the Data Controller manages data that is different from the Data Subject.

You can read the details of data management related to appointment booking in the table below.

Scope of processed data	I. When booking an appointment by phone: name; telephone number; booked treatment and its date. II. When booking an appointment via message: name; telephone number; e-mail address; booked treatment and its date. III. In case of booking an appointment in person: name; booked treatment and its date. ARC. When booking an appointment online (through Thessaloniki): name; telephone number; e-mail address; booked treatment and its date.
Purpose of data management	The purpose of processing the Personal Data provided during the appointment reservation is that the Data Controller can provide the requested treatment for the Client at the reserved time. The purpose of data management is also to enable the Data Controller to contact the Data Subject, should the date be changed for any reason.
Legal basis for data management	The Data Controller may process the Data Subject's Personal Data if the Data Subject consents to this (Article 6 (1) point a) of the General Data Protection Regulation.
Duration of data management	The duration of data management lasts until the consent of the Data Subject is withdrawn, in the case of non-finalized appointment bookings, until leaving the appointment booking interface.
Recipients of data management, data processors, contractual partners	Salonic is considered a Data Processor for Data Subjects who book an appointment by phone or in person. The Data Processor has access to the Partner Account of the Data Controller. In the case of Data Subjects who book an appointment through Salonic's system, they are considered users of Salonic, so Salonic is considered an independent data controller with regard to their Personal Data. In this case, the Contact data displayed by the Data Controller originates from Salonic. Salonic's information on data management is available at the following link: https://www.salonic.hu/adatvedelmi-declozat

3.3. Data management related to customer data sheet

Following the appointment bookings, a customer data sheet is created for the Data Subject. Based on the information in the customer profile, the Data Controller may grant the Data Subject a discount if certain conditions are met, or may refuse the Data Subject's further treatments and appointments, or apply other sanctions.

You can read the details of data management related to the customer data sheet in the table below.

Scope of processed data	In addition to the Personal Data required to book an appointment, the customer data sheet contains the following data about the Data Subject: type, number, date and amount of treatments used; the amount of any outstanding debt; type, number and date of canceled treatments; type, number and date of canceled treatments;
Purpose of data management	The purpose of data management is for the Data Controller to establish that: is the Data Subject entitled to a discount from the price of treatments provided by the Data Controller - e.g. whether the amount of the treatments used exceeds the amount after which the Data Controller offers a discount on the price of its treatments, and is the Data Subject entitled to book an appointment - in case of a certain number of no-shows, the Data Controller has the right to refuse further appointment bookings by the Data Subject, therefore it checks whether there have been cancellations or cancellations of appointments (how many) and whether they have been made within the specified (24-hour) deadline- e; after a certain amount of debt, the Data Controller has the right to refuse to provide additional services (booking an appointment).
Legal basis for data management	The processing of Personal Data is necessary to enforce the legitimate interests of the Data Controller (Article 6 (1) point f) of the General Data Protection Regulation. Designation of the legitimate interest: the high standard of service provision and the strengthening of customer loyalty, as well as the sanctioning of customers who repeatedly cancel the service.
Duration of data management	We process the data of the customer data sheet until the date of withdrawal of the consent given in connection with the appointment reservation. Considering that the data processed during the data management related to the customer data sheet can only be interpreted together with the Personal Data processed during the appointment reservation, so if the Data Subject withdraws his consent regarding the data processed in connection with the appointment reservation, his entire customer data sheet will be deleted.
Recipients of data management, data processors, contractual partners	In addition to booking an appointment, Salonic is considered the Data Controller's data processor in relation to the data managed on the customer data sheet. The data processor accesses this data, but does not perform any operations on it.

 

3.4. Data management related to webshop order and user account

Shopping through the Webshop is possible with or without prior registration. If the Data Subject registers, a user account will be created. The user account makes shopping easier for Data Subjects. The Data Controller specifically draws the Data Subject's attention to the fact that all responsibility for the accuracy and up-to-dateness of the data rests with the Data Subject. In view of this, if a change occurs in the Personal Data, the Data Subject must transfer these changes to the user account.

The Data Controller draws the attention of the Data Subjects to the fact that ensuring the proper operation of the Webshop is regulated by Act CVIII of 2001 on certain issues of electronic commercial services and services related to the information society. Act 13/A. It is done in accordance with the provisions of paragraph (3) of §

The Data Controller draws the Data Subject's attention to the fact that the purchase is not mandatory after registration on the Webshop.

Scope of processed data	The following data of the Data Subject is managed by the Data Controller in connection with the order placed through the Webshop: last name*, first name*, company name, billing address* (country, county, postal code, city, street, house number), delivery address (if the billing and delivery address are different), phone number, e-mail address order ; note about the order. Entering Personal Data marked with * is mandatory. In connection with the user account, the Data Controller manages the following data of the Data Subject: - surname; - first name; - Username; - billing address; - Delivery Address; - previous orders; - favorite products; - downloads.
Purpose of data management	In connection with purchases through the Webshop, the purpose of data management is to enable the Data Controller to fulfill the order and send the purchased product to the Data Subject. In relation to the user account, the purpose of data management is to make it easier for the Data Subject to place their orders, not to have to enter the same data again, and to save their favorite products and view their previous purchases.
Legal basis for data management	In relation to purchases through the Webshop, the Data Controller uses the Personal Data for the fulfillment of the sales contract, as well as for taking steps at the request of the Data Subject prior to the conclusion of the contract, as well as for the fulfillment of legal obligations (Article 6 (1) b) and c) of the General Data Protection Regulation ) In relation to the user account, the Data Controller may process the Personal Data of the Data Subject if the Data Subject consents to the processing of Personal Data (Article 6 (1) point a) of the General Data Protection Regulation).
Duration of data management	The Data Controller will keep pending orders that have not yet been fulfilled for 30 days from the date of placing the order. If the order is not fulfilled during this time, the Data Controller will cancel the order after 30 days. Incorrect orders are kept by the Data Controller for 30 days from the date of placing the order. After 30 days, the incorrect order is automatically deleted. The duration of data management is Accounting TV. According to Section 169 (2), the last day of the 8th year following the last day of the year in which the invoice was issued. If the Data Subject does not log into his user account for 12 months, his account will be deleted due to inactivity.
Recipients of data management, data processors are contractual partners	The system required for issuing electronic invoices is provided by Billingo Technologies Zrt. for the Data Controller, who qualifies as the Data Controller's data processor. The data processor performs the technical operation and maintenance of the invoicing program, has access to certain Personal Data, but does not perform any operations on it. Shopify International Ltd. (2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland), which provides the webshop's e-commerce system, is also a data processor. In connection with the completion of purchases, some of the Data Subject's Personal Data (invoicing name; billing address; delivery address; telephone number; e-mail address) will be forwarded to the Data Controller's partner, who is responsible for the delivery of the purchased product. The Data Controller's partner is Magyar Posta Zrt. (headquarters: 1138 Budapest, Dunavirág utca 2-6.; company registration number: 01-10-042463), which is considered the data processor of the Data Controller. The activity of the data processor is solely aimed at delivering the purchased product to the Data Subject.

3.5. Contact

On the Website, it is possible for the Data Subjects to ask their questions (e.g. regarding a reservation, a specific product). In this case, in order to answer the question, it is necessary for the Data Controller to process certain Personal Data of the Data Subject. It is also possible for the Data Subject to inquire about services, treatments or ask other questions via e-mail or telephone in order to contact the Data Controller.

Scope of processed data	During the contact process, the Data Controller processes the following Personal Data of the Data Subject: name; e-mail address; telephone number; Personal Data voluntarily provided by the Data Subject during contact; the question asked.
Purpose of data management	The purpose of data management is to establish contact between the Data Controller and the Data Subject and to answer the Data Subject's questions.
Legal basis for data management	The Data Controller may process the Personal Data of the Data Subject if the Data Subject consents to the processing of Personal Data (Article 6 (1) point a) of the General Data Protection Regulation.
Duration of data management	Until the Data Subject's consent is revoked, but at most until the reason for the contact is resolved.
Recipients of data processing, data processors, contractual partners	The messages sent through the Website are not stored by the Website, they are sent directly to the contact e-mail addresses indicated on the Website. Letters received at contact e-mail addresses are answered and handled by the competent staff of the Data Controller.

3.6.

The Data Controller periodically sends newsletters or other similar direct marketing messages to those who request it. In all cases, it is a voluntary decision whether the Data Subject subscribes to them, and of course they can be unsubscribed at any time. In this case, the Data Controller will delete all Personal Data required for sending newsletters and will not send any further newsletters to the Data Subject.

You can read the details of data management related to the newsletter below.

Scope of processed data	The Data Controller manages the following Personal Data in connection with sending the newsletter: last name; first name telephone number e-mail address.
Purpose of data management	Contacting the Contact, maintaining contact, providing information about available products, services and promotions, events, and other news.
Legal basis for data management	The processing of Personal Data is based on the Data Subject's consent (Article 6 (1) point a) of the General Data Protection Regulation. This consent can be withdrawn by the Data Subject at any time. Withdrawal of consent does not affect the legality of data processing prior to withdrawal.
Duration of data management	The Data Controller manages the Personal Data of the Data Subject until withdrawal, i.e. until the Data Subject unsubscribes from the newsletter.
Recipients of data management, data processors, contractual partners	In connection with the sending of newsletters, the Data Controller uses a data processor. This data processor is MailerLite Limited (https://mailerlite.com/) (registered office: Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland).

3.7. Data management related to the use of the Website

During the use of the Website, the Data Controller collects and manages certain types of data for the purpose of monitoring visitor data (statistical purpose) and enhancing the user experience.

There are buttons and active links embedded on the website that navigate away from the website (Facebook, Instagram, TikTok, YouTube, Salonic in case of booking an appointment). If you click on these buttons, you will be automatically redirected to Facebook, Instagram, TikTok, YouTube or Salonic. We would like to draw your attention to the fact that after the redirection, the Data Controller no longer has the possibility to control the further use of the managed Personal Data, these interfaces are subject to the own data management rules of third parties as independent data controllers. The Data Controller has no influence whatsoever on how the mentioned sites use the Personal Data, and accordingly excludes to the fullest extent possible any responsibility for damage or disadvantages resulting from their further use. The Data Subject expressly acknowledges this exclusion of liability.

The Website uses so-called cookies to achieve the above goals.

Cookies are text files that allow the Website or other computer server to identify the Data Subject's computer and store their personal preferences and technical data, such as click-throughs and other navigation data. The navigation data (click stream) shows which pages the Data Subject visited and in which order. Cookies can also be used to determine which advertisements are displayed on the Website and to measure their effectiveness. The Data Controller uses cookies to personalize the Data Subject's visit to the Website (e.g. help the interface to be in the best resolution when the Data Subject returns to the Website), analyze the Website traffic and track user trends, patterns and selections , which apply to downloads and technical conditions related to the use of the Website. This helps the Data Controller to improve the appearance and content of the Website so that it meets the expectations of users as much as possible. Cookies can be permanent (persistent - they remain on the Data Subject's computer until they are deleted) and temporary (session - which are valid only until the browser is closed, at the end of the session).

The Data Controller may also use web beacons or similar technologies that monitor the use of the Website and show which pages the Data Subject visits on the Website. These are also called clear GIF files. Web beacons (web beacons or web bugs) are short lines of code that place an image on the Website in order to transmit data such as the IP address of the computer that downloaded the page on which the web beacon appears and the URL of the page (address) on which the web beacon appears, the time of viewing the page containing the web beacon, the type of browser that downloaded the web beacon and the identification number of cookies previously placed on the computer by the given server. If the Data Controller contacts the Contact via an HTML-capable email message, the web beacons inform whether the message has been received or opened.

If the Data Subject provides his/her Personal Data to the Data Controller (e.g. through registration), this can be linked to the anonymous data stored in cookies and/or web beacons. The information thus generated is handled by the Data Controller for analytical purposes, in order to measure the efficiency of the service and to further develop it.

The Website uses necessary, functional, statistical and marketing cookies.

• Necessary cookies are necessary for browsing the website and using the functions, among other things they allow the visitor to comment on the actions performed on a given page, function or service. Without the use of the necessary cookies, the smooth use of the Website cannot be guaranteed.
• Functional cookies enable the Website to remember which mode of operation the user has chosen (e.g.: does he use the Hungarian or English version of the Website, does he choose the barrier-free version, how many results should appear in the list of search results at the same time, etc.).
• Statistical cookies provide feedback to the Website owner about what content users like on the Website. The data is not linked to a specific person.
• Marketing cookies track users across websites, for example by displaying advertisements, all in order to show users relevant content.