PRESENTATION OF ITS DATA PROCESSING ACTIVITIES
CONTENTS OF THIS NOTICE
I. Details of the Parties Involved in Data Processing
II. Purpose of this Notice
III. General Definitions and Terms
IV. Principles and Method of Data Processing
V. Description of Data Processing Activities
VI. Rights of Data Subjects and How to Exercise Them
VII. Data Security
VIII. Complaint Handling and Procedural Rules
IX. Data Protection Incident
X. Applicable Legislation
XI. Use of Data Processors
XII. Changes to this Notice
Central Harmony Massage Studio (company name: AROMAKONYHA Ltd., registered office: 1172 Budapest, Újszilvás utca 10., company registration number: 01-09-336431, tax number: 26356679-2-42, represented by Managing Director Marcell Galambos) (hereinafter: Data Controller) provides physical wellbeing services to its Clients and operates the website www.chmassage.hu in connection with these services.
We hereby inform you, as a Data Subject, that Central Harmony Massage Studio qualifies as an independent Data Controller, as it processes the personal data of Data Subjects in its own name and on its own behalf, and independently determines the purposes and means of processing.
You may obtain information about Central Harmony Massage Studio’s data processing activities from the current version of the document entitled “Privacy Notice” available at www.chmassage.hu.
In the course of providing physical wellbeing services and operating its website, the Data Controller engages external data processors for the storage of personal and special category data, including health data.
I. DETAILS OF THE PARTIES INVOLVED IN DATA PROCESSING
Details of the Data Controller
Company name: AROMAKONYHA Limited Liability Company
Registered office: 1172 Budapest, Újszilvás utca 10., Hungary
Company registration number: 01-09-336431
Place of data processing (place of service provision):
1133 Budapest, Ipoly utca 13., Hungary
External Data Processors Used by the Data Controller
Across Média Ltd.
Registered office: 2000 Szentendre, Vörösgyűrű sétány 12., Hungary
Company registration number: 13-09-216846
Representative: Rudolf Tamás Kampas, Managing DirectorBarion Payment Ltd.
Registered office: 1117 Budapest, Irinyi József utca 4-20., 2nd floor
Company registration number: 01-10-048552
Representative: Sándor Kiss, Board MemberBillingo Technologies Ltd.
Registered office: 1133 Budapest, Árbóc utca 6., Hungary
Company registration number: 01-10-140802
Representative: Albert Sárospataki, Board MemberBooked4.us Ltd.
Registered office: 2600 Vác, Zichy utca 12., Hungary
Company registration number: 13-09-198371
Representative: Péter Balogh, Managing DirectorPogácsa és Társa Ltd.
Registered office: 1028 Budapest, Aszú utca 43/B, Hungary
Company registration number: 01-09-667430
Representative: Attiláné Takács, Managing Director
II. PURPOSE OF THIS NOTICE
The purpose of this Notice is to inform Clients and all Data Subjects using the services of the Data Controller about:
the data protection and data processing principles applied, and
the data processing activities carried out by the Data Controller.
This Notice is based in particular on:
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), and
Act XLVII of 1997 on the processing and protection of health and related personal data.
III. GENERAL DEFINITIONS AND TERMS
Personal Data
Any information relating to an identified or identifiable natural person ("Data Subject").Health Data
Personal data relating to the physical or mental health condition of a natural person.Data Subject
Any identified or identifiable adult natural person.Wellbeing Service
A non-medical service intended to improve physical wellbeing.Consent
Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes.Data Processing
Any operation performed on personal data, including collection, recording, storage, use, transfer, or deletion.Data Controller
The entity that determines the purposes and means of processing personal data.Data Processor
An entity that processes personal data on behalf of the Data Controller.Data Breach
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
IV. PRINCIPLES AND METHOD OF DATA PROCESSING
Personal data shall be processed:
lawfully, fairly, and transparently
for specified, explicit, and legitimate purposes
in accordance with data minimization principles
with appropriate security and confidentiality
Personal data will not be disclosed to third parties except as specified in this Notice or required by law.
V. DESCRIPTION OF DATA PROCESSING ACTIVITIES
1. Processing of invoicing data
Purpose: Issuing invoices for services
Legal basis: Legal obligation (Article 6(1)(c) GDPR)
Data processed:
Name
Address
Tax number
Retention period: 8 years
Data processors:
Billingo Technologies Ltd.
Pogácsa és Társa Ltd.
National Tax and Customs Administration (NAV)
2. Online booking data processing
Purpose: Appointment booking
Legal basis: Consent (Article 6(1)(a) GDPR)Data processed:
Name
Email address
Phone number
Selected service
Data processor:
Booked4.us Ltd.
3. Photo, video, and audio recordings
Purpose: Marketing and promotion
Legal basis: ConsentRecordings are only made with prior written consent.
Consent may be withdrawn at any time.
4. Health questionnaire and treatment record
Purpose:
Providing safe and personalized treatments
Monitoring and protecting the Client’s health
Data processed:
Name
Date of birth
Health-related information
Treatment notes
Legal basis:
Explicit consent (Article 9(2)(a) GDPR)
These documents may be sent to the Client via email.
5. Newsletter subscription
Purpose: Marketing communication
Data processed:
Name
Email address
Legal basis:
Consent (Article 6(1)(a) GDPR)
6. Gift voucher and package purchase
Purpose: Providing services
Data processed:
Name
Legal basis:
Contract performance or consent
7. Cookies
Purpose:
Website functionality
Improving user experience
Legal basis:
Consent
8. Facebook Messenger communication
Purpose: Customer support
Data processed:
Name
Message content
Legal basis:
Consent
Data processor:
Meta Platforms Ireland Ltd.
9. Bank card and SZÉP card payments
Purpose:
Payment processing
Legal basis:
Contract performance
Retention period:
8 years
VI. RIGHTS OF DATA SUBJECTS
Data Subjects have the right to:
access their personal data
request correction
request deletion
request restriction
withdraw consent
lodge a complaint
Contact:
Central Harmony Massage Studio
Email: info@chmassage.hu
Address: 1172 Budapest, Újszilvás utca 10., Hungary
VII. DATA SECURITY
The Data Controller implements appropriate technical and organizational measures to ensure data security, including:
password-protected systems
restricted access
firewall protection
encrypted communication (SSL)
secure storage
Only authorized personnel may access personal data.
VIII. COMPLAINT HANDLING
Complaints may be submitted to:
National Authority for Data Protection and Freedom of Information
Website: www.naih.hu
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
IX. DATA BREACH
In case of a data breach, the Data Controller will take appropriate measures within 48 hours and comply with GDPR notification obligations.
X. APPLICABLE LEGISLATION
Including but not limited to:
GDPR (EU 2016/679)
Hungarian Civil Code (Act V of 2013)
Act CXII of 2011 on Informational Self-Determination
Act C of 2000 on Accounting
Act XLVII of 1997 on health data protection
XI. USE OF DATA PROCESSORS
The Data Controller may use additional data processors that comply with GDPR requirements.
XII. CHANGES TO THIS NOTICE
The Data Controller reserves the right to amend this Privacy Notice.
Where can you find us?
