Privacy notice

I
General Section

Who processes your personal data? Who is the data controller?

In the course of processing your personal data, Oboe Academy Online Korlátolt Felelősségű Társaság will act as the data controller (hereinafter: Data Controller).

What are the data controller’s contact details?

registered office: 8200 Veszprém, Bem József utca 15.
telephone number: 06202804272
e-mail address: info@oboeacademyonline.com

Which data are considered to be personal data?

Personal data means any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Which personal data are included in the special categories of personal data?

Special categories of personal data are considered to be personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Who is considered to be a data subject?

Data Controller may process the personal data of the following natural persons in particular

  • persons visiting the website https://www.oboeacademyonline.com and its sub-domains,
  • persons who registrate on the Website,
  • persons exercising their rights of withdrawal and termination,
  • persons who file a complaint,
  • persons who use the services of the Website as Users,
  • persons who use the services of the Website as Instructors,
  • contact persons of legal entities.

Which are the most important laws and regulations governing the processing activity of Data Controller?

Data processing is governed mainly by the following legislation:

  • Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”)
  • Act CXII of 2011 on the right of informational self-determination and on freedom of information
  • Act C of 2000 on Accounting,
  • Act V of 2013 on the Civil Code

On what principles does the Data Controller perform its data processing activity?

Data Controller processes data based on the following principles, by taking the necessary measures to enforce these principles in order that the personal data are

a. processed on a lawful, fair and appropriate legal basis (lawfulness, fairness and transparency),
b. collected only for specified, clear and lawful purposes and are not processed in a way that is incompatible with such purposes,
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation),
d. accurate and, where necessary, kept up to date; if possible, personal data that are inaccurate are erased or rectified without delay (accuracy),
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may only be stored for longer periods for statistical purposes subject to the implementation of the appropriate technical and organisational measures (storage limitation),
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality),
g. processed with an awareness of responsibility for and an ability to demonstrate compliance with the above principles (accountability).

For what purpose, on what legal basis and for how long does Data Controller process personal data and which personal data are processed?

The purpose, legal basis and duration of processing personal data and a description of the personal data are given in the Special Section of this Privacy Notice.

Does Data Controller use automatic decision-making or profiling?

Data Controller does not use automatic decision-making and does not create profiles of data subjects from available data.

What rights do data subjects have?

Data Controller ensures the following rights for data subjects (Article 23, GDPR):

a. the right to information,
b. the right of access,
c. the right to withdraw consent,
d. the right to rectification,
e. the right to erasure,
f. the right to be forgotten,
g. the right to restriction,
h. the right to be informed about the recipients advised of the rectification or erasure of personal data, or the restriction of processing,
i. the right to data portability,
j. the right to object,
k. the right to remedy.

The detailed explanation of the rights listed herein are contained by Appendix 1. of this Privacy Notice.

How can the data subject submit requests concerning data processing or for the withdrawal of the consent given for data processing?

The data subject may submit requests concerning data processing

  • by post to the address: 8200 Veszprém, Bem József u. 15.,
  • by personal way at: 8200 Veszprém, Bem József u. 15.,
  • by telephone: 06202804272,
  • by e-mail at info@oboeacademyonline.com

Dealing with the data subject’s requests

Data Controller will inform the data subject of the action taken in response to his or her request within one month of the receipt of the request. Where necessary, this time limit may be extended by another two months. Data Controller will inform the data subject of any such extension within one month of the receipt of the request, together with the reasons for the delay. If Data Controller does not act in response to the data subject’s request, it must provide information about the reasons for not acting within one month of the receipt of the request, and advise the data subject of the option of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Joint data processing

Data Controller is not involved in joint data processing activities.

Who are the recipients of your personal data?

The general rule is that the Data Controller does not forward the data subject’s personal data to third persons, only to the data processors and other data controllers presented below. Another exception from the general rule is if the Data Controller is bound by law to forward the data to an authority, state or court.

Which data processor does the controller use?

Data Controller may use the services of data processors to process the personal data handled.

The data processor may be a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Controller will only use a data processor who or which provides sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the data processing complies with the legal requirements and that the rights of the data subjects are protected. The data processor may not engage an additional data processor without the prior written specific or general authorisation of the Data Controller.

Data Controller uses the companies below for data processing services:

Host service provider:
Name: 3 in 1 Hosting Számítástechnikai és Szolgáltató Betéti Társaság
Seat: 2310 Szigetszentmiklós, Brassó u. 4/A.
Contact:
Phone: +36 (21) 200 0040
E-mail: admin@megacp.com
Website: www.3in1.hu

Foreign host service provider:
Name: Hetzner Online GmbH
Seat: Germany, Industriestr. 25. 91710 Gunzenhausen, Deutschland,
EU tax number: DE812871812,
Website: www.hetzner.com,

Software developer:
Name: Comp-Harmony Kft.
Seat: 8248 Nemesvámos, József A. u. 29.
Company registration number: 19-09-516417

Premises that accept the credit card:
Barion Payment Zrt.
Seat: 1117 Budapest, Infopark sétány 1. I. épület 5. emelet 5.
Registry authority: Fővárosi Törvényszék Cégbírósága
Company registration number: Cg. 01-10-048552
Tax number: 25353192- 243.
EU tax number: HU25353192
Operating licence number: HEN-I-1064/2013
Electronic-money issuing premise number: 25353192

Invoicing company:
Billingo Technologies Zártkörűen Működő Részvénytársaság
Seat: 1133 Budapest, Árbóc utca 6. 3. em.
Company registration number: 01-10-140802
Tax number: 27926309-2-41
Website: www.billingo.hu
Email: hello@billingo.hu
Tel.: +36-1/500-9491
Represented by: Sárospataki Albert vezérigazgató

Accountant:
Flőrich Krisztina
Seat: 8200 Veszprém, Hoffer Ármin Sétány 2.
Tax number: 55784115-1-39

For specific assignments the Data Controller may use other data processors (e.g. a translator or financial expert) apart from the above and will inform the data subject about this individually during the performance of the assignment.

The Data Controller forwards the personal data of the subject to the Instructor chosen by the subject. The Instructors act as separate data controllers, which means that they have complete liability regarding their data processing activities, but nevertheless they accept the resolutions of this Notice as bounding to themselves.

The Whereby software must be downloaded and installed by the data subjects in order to use the services of the Data Controller. Whereby acts as separate data controller as well. The data subject could find detailed information on the data controlling activities of Whereby here: https://whereby.com/information/tos/privacy-policy/.

Online payment is done via the systems of Barion. Barion is a separate data controller, Oboe Academy excludes liability for its data controlling activities, and the credit card data of the data subjects are not visible for Oboe Academy. The credit card data stored by Barion is invisible for Oboe Academy as well. The data subjects could find detailed information on the data processing activities of Barion here: https://www.barion.com/en/privacy-notice.

Does Data Controller transmit the personal data processed by it to third countries?

Data Controller does not transmit personal data to third countries on a regular basis.

What measures does Data Controller take to protect personal data?

Data Controller takes technical and organisational measures to protect the personal data processed by it, in particular against unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as accidental destruction, damage and inaccessibility due to changes in the technology used. To this end, inter alia,

  • the use of computers is conditional on individual passwords,
  • the information technology system is regularly checked from the aspect of data protection and IT security,
  • protection against malicious software is provided
  • personal security measures are taken,
  • appropriate resources are provided for assignments; employees are made aware of the importance and requirements of data security k,
  • access to documents is logged,
  • back-up copies are stored on a separate data storage product,
  • both the safety measures of the website and the web shop engine are regularly checked and refreshed in case of necessity,
  • data is regularly saved for the sake of preservation. These savings are done and stored regardless of the hosting service provider.

In order to protect the data files processed electronically in the various registers, the Data Controller ensures by means of an appropriate technical solution that the stored data cannot be directly linked and assigned to the data subject unless permitted by law.

Who is liable for damage caused by processing personal data?

Data Controller is liable for damage caused by the unlawful processing of personal data or a breach of the data security requirements and for an infringement of the data subject’s personal rights, and is obliged to compensate the damage if the violation is acknowledged or legally established. In the event of the infringement of the data subject’s personal rights, the data subject may claim restitution pursuant to Section 2:52 of Act V of 2013 on the Civil Code. Data Controller is also liable for any damage caused by the data processor used by it.

Data Controller will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Cookies used by the Website

The Data Controller is using currently the cookies of Full Barion Pixel, for which the Data Controller asks for the consent of the data subject through the cookie banner popping up on the Website. Besides these, the Data Controller only uses cookies that improve user experience, but do not store any personal data, thus they are not bound to the consent of data subjects. Detailed information on the cookies used regarding the operation of the Website could be found here: https://wordpress.org/support/article/cookies/; https://docs.woocommerce.com/document/woocommerce-cookies/ 

What legal remedies do you have as regards data processing?

In connection with the lawfulness of data processing, the data subject may initiate a procedure with the Hungarian National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca 9-11, postal address: 1363 Budapest, Pf. 9, website: www.naih.hu, telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, central e-mail address: ugyfelszolgalat@naih.hu) or, at the choice of the data subject, apply to the court for the place where he or she is habitually or temporarily resident in Hungary or where Data Controller is based. The court of habitual or temporary residence in Hungary may be found on the web page http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso.

Data Controller has not appointed a data protection officer in the absence of a specific provision laying down such an obligation.

The present Privacy Notice was made in English and Hungarian languages, should there be any differences between the two, the Hungarian version shall prevail.

II.
Special section

II/1. Data processing regarding registration on the Website
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
Generating personal account after registrationname, account name, password, date of birth, e-mail,Consent (GDPR Art. 6. point 1))
Until withdrawal of consent, or until deletion of the accountWithout giving consent it is impossible to generate an account, this the services of the Website could not be use.
II/2. Data processing regarding services ordered through the Webshop
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
Fulfilling the service ordered through the webshop.name, password, date of birth, address, place of residence, e-mail, account name, telephone number, invoice and accounting data
performance of contract (GDPR Article 6. para 1) point b)) ); regarding invoices and accounting data legal obligation (GDPR Article 6. para 1) point c)) and Accounting Act.
limitation of claims arising from the contract, which is 5 year, and 8 years regarding accounting and invoicing data.Without these data the services of the Website are could not be used.
II/3. Data processed regarding accounting procedures
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
Compliance with legal provisions on accounting
data processed regarding accounting procedures
Legal obligation (GDPR Article 6. para 1) point c) and Act on Taxes, and Act on Accounting Art)
currently 8 years, as stated by the regulations cited.Due to legal obligations, providing these data is mandatory.
II/4. Data processing activity regarding complaints filed
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
Examination of complaints
name, password, date of birth, address, e-mail, other data contained by the complaint
legal obligation GDPR Article 6. para 1) point c) and Act CLV of 1997 on Consumer Protection para 17/A. § (5) and para (7)
5 yearsThe data subject is unable to exercise its consumer rights without these data.
II/5. Exercising the right of withdrawal
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
Fulfilling the data controller’s obligations arising from withdrawal or termination.
name, password, date of birth, address, place of residence, e-mail, other data contained by the document of withdrawal or terminationlegal obligation GDPR Article 6. para 1) point c) and Act CLV of 1997 on Consumer Protection and legitimate interest GDPR Article 6. para 1) point f)5 yearsWithout these data, the rights of withdrawal and termination could not be exercised.
II/6. Fulfilling orders of legal entities
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
Personal data of the legal entity’s contact persons are need to be processed in order to fulfil orders of the entity.
Name, address, position, contact data of the contact personlegitimate interest (GDPR Article 6. para 1) point f))Until the legitimate interest persists, or successful objection but a maximum of 5 yearsWithout these data, the legal entity is not able to issue orders.
II/7. backup saves from the Website and the Webshop
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
In case of the error of the Website, or a false deletion of personal data, these backup saves will recover the lost data
All data given by the user on the website.legitimate interest GDPR Article 6. para 1) point f))Until the cessation of interest or successful objection but maximum 1 year, the data stored for more than a year will be deleted at the start of every month.In case of deletion of the data from these backup saves, they will no longer be recovered.
II/7. Barion full pixel cookies
ba_vid.xxxIts purpose is to identify bank card fraud on the basis of your device’s digital fingerprint and your browsing habits. The cookie allows us to follow your browsing habits related to a given website between to sessions. It collects the following data: ba_vid, user related ID which is the hash compiled from the characteristics of the browser, timestamp of your first, current and last visit on the website based on the hash, current work session ID, authorisation for third party cookies. We place these cookies on our own website and the websites of merchants using Barion Smart Gateway.
Barion Payment Zrt.For 1.5 year calculated from the last update
ba_vidIts purpose is to identify bank card fraud on the basis of your device’s digital fingerprint and your browsing habits. Cookies are necessary to identify fraudsters. The cookie allows us to know that data arising from your browsing habits derive from the same user. We place these cookies on our own website and the websites of merchants using Barion Smart Gateway
Barion Payment Zrt.For 1.5 year calculated from the last update
ba_sidIts purpose is to identify bank card fraud on the basis of your device’s digital fingerprint and your browsing habits. The cookie allows us to identify your work session through websites. We place these cookies on our own website and the websites of merchants using Barion Smart Gateway.
Barion Payment Zrt.30 minutes
ba_sid.xxxIts purpose is to identify bank card fraud on the basis of your device’s digital fingerprint and your browsing habits. The cookie allows us to identify your work session within the given website. We place these cookies on our own website and the websites of merchants using Barion Smart Privacy Notice, Section 5.4 For 30 minutes 6 Gateway.
Barion Payment Zrt.30 minutes
II/8. Services used by persons as Instructors
Purpose of data processingPersonal data processedLegal basis of processingRetention timeInformation regarding the services provided by processing / source of data
Instructors are only entitled to such position with presenting the data required to examine their instructor positionprofessional training, level of education, data given regarding career
consent (GDPR Article 6. para (1) point f))
Until withdrawal of consent or the termination of instructor positionWithout granting these data, it is impossible to act as an instructor on the Website

Appendix 1.

Rights of the data subjects regarding data processing

Data Controller ensures the following rights for data subjects in cooperation with the data subjects in exercising these rights noting that Union or Member State law applicable to Data Controller may restrict the assertion of the rights of the data subject to the necessary and proportionate extent in order to protect the data subject or to protect the rights and freedoms of others or to enforce civil claims (Article 23, GDPR):

a. the right to information:

Data Controller provides data subjects with the information required and specified by law in accordance with the principles of fair and transparent processing.

Data Controller provides the information specified by law to the data subject even where personal data have not been obtained from the data subject unless the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy,

b. the right of access:

data subjects are entitled to obtain confirmation from Data Controller as to whether their personal data are currently being processed and, if that is the case, they are entitled to access their personal data and the information specified by law. Data Controller will provide a copy of the personal data undergoing processing to the data subject free of charge on one occasion. For any further copies requested by the data subject, Data Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, Data Controller– unless otherwise requested by the data subject – will provide the information requested in a commonly used electronic format. The right to obtain a copy may not adversely affect the rights and freedoms of others (in particular a person deemed a client of Data Controller enforcing a civil claim) and access may be granted, irrespective of the request for a copy,

c. the right to withdraw consent:

where the legal basis of data processing is the data subject’s consent, the data subject may withdraw consent for data processing at any time but the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Data Controller may continue to process personal data after the withdrawal of consent for the purposes of fulfilling its legal obligations or legitimate interests provided that ensuring that the legitimate interest prevails is proportionate with the restriction of the right to the protection of personal data,

d. the right to rectification:

the data subject may request Data Controller to rectify inaccurate or supplement missing personal data concerning him or her without undue delay,

e. the right to erasure:

the data subject may request Data Controller to erase personal data concerning him or her without undue delay. The performance of such a request may only be denied in cases specified by law, in particular if data processing is necessary for compliance with a legal obligation which requires the processing of personal data laid down by Union or Member State law applicable to Data Controller, or for the establishment, exercise and defence of legal claims. Where the law provides for an obligation of data processing, Data Controller may not erase the data of the data subject,

f. the right to be forgotten:

this right compels Data Controller where it has made the personal data public and, in consequence of the right to erasure, is obliged to erase the personal data to take reasonable steps, including technical measures, taking account of available technology and the cost of implementation, to inform controllers which are processing the data that the data subject has requested the erasure of any links to, or copy or replication of, those personal data,

g. the right to restriction:

the data subject may request Data Controller to restrict data processing if

  • the accuracy of the personal data is contested by the data subject (in this case restriction is for a period that enables Data Controller to verify the accuracy of the personal data),
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • Data Controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defence of legal claims, or
  • the data subject has objected to processing exercising the right to object pending the verification whether the legitimate grounds of Data Controller override those of the data subject,

h. the right to be informed about the recipients advised of the rectification or erasure of personal data, or the restriction of processing:

Data Controller will inform all recipients to whom the personal data have been communicated of the rectification, erasure or restriction of the processing of the personal data at the data subject’s request unless this proves impossible or requires disproportionate effort. At the request of the data subject, Data Controller will provide information about such recipients,

i. the right to data portability:

where the legal basis of data processing is the data subject’s consent or the performance of the contract, and the processing of personal data is carried out by automated means, the data subject has the right to

  • receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format,
  • transmit those data to another controller without hindrance from Data Controller,
  • where technically feasible, request Data Controller to directly transmit the personal data to another controller,

j. the right to object:

the data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of his or her personal data necessary for the performance of a task on the grounds of the legitimate interests of Data Controller or a third party. Data Controller will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

k. the right to remedy:

if the data subject considers that the processing of personal data relating to him or her infringes the legal regulations, the data subject has the right to lodge a complaint with a supervisory authority or to seek judicial remedy.