Data controlling policy of FitRadio Szolgáltató Korlátolt Felelősségű Társaság (address: 8600 Siófok, Béri Balog Ádám utca 47. földszint 12.; company registration number: 14-09-316378; executive officer as authorized representative: Máté Szabolcsi, managing director; hereinafter referred to as Service Provider) valid as of May 25. 2018 until being revoked: Data Controlling Policy or Regulation):
GTC: General Terms of Contract applied by the Service Provider, available on the Website.
Registration: the process, in the course of which the User enters into a contract with the Service Provider by accepting the GTC and providing the data requested by the Service Provider, as a result of which the User is granted access to the entire service provided by the Service Provider.
User: natural person, or – via its natural person representative – organization, business association, enterprise of private entrepreneur with or without legal personality registered in one of the member states of the European Union and operating in compliance with the laws of Hungary, who/which following the registration enters into legal relationship with the Service Provider.
Contract: legal relationship established between the User and the Service Provider on the subject of the service to be provided by the Service Provider.
Data Controller: the Service Provider, i.e. FitRadio Szolgáltató Korlátolt Felelősségű Társaság (registered address: 8600 Siófok, Béri Balog Ádám utca 47. földszint 12.; company registration number: 14-09-316378; authorized representative: Máté Szabolcsi, managing director).
Data Processor1: Gyula Fodor freelance entrepreneur providing information technology background for the service provided by the Service Provider (address: 1113 BUDAPEST 11 ker. Diószegi út 59. 1 em. 2 ajtó; registration number: 39131686; statistical code: 66791627620123101).
Data Processor2: The Rocket Science Group, LLC (registered address: 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA) operating the MailChimp newsletter service.
Data Processor3: Google Inc. (registered address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States) operating the Google Analytics service.
Data Processors: Data Processor1, Data Processor2 and Data Processor3 together.
Civil Code: Act V of 2013 on the Civil Code.
Infotv.: Act CXII of 2011 On information self-determination and freedom of information
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation).
Personal Data: any information related to an identified or identifiable natural person; a natural person is identifiable, if he/she can be directly or indirectly identified based in particular on some identifiers, such as name, number, location data, online identifier, or certain factors related to bodily, physiological, genetic, intellectual, economic, cultural or social identity.
Data Controlling: any operation or sum of operations performed on personal data or data sets in automatized or non-automatized manner, including collection, recording, systematization, articulation, storage, transformation or alteration, retrieval, introspection, usage, publication, forwarding, distribution or making otherwise public, harmonization or interconnection, limitation, deletion or destruction.
Data Subject: the User, whose natural person representative’s personal data are controlled or processed by the Data Controller or by the Data Processor.
Data Controlling Statement: Consent of the Data Subject for Data Controlling made during the Registration.
Data Protection Incident: breach of security resulting in intentional or illegitimate destruction, loss, alteration, unauthorized publication of or unauthorized access to the transferred, stored or otherwise controlled personal data.
Governing Law and Principles of Data Controlling
The Data Controller and the Data Processor are entitled to control and process personal data based on particular on the provisions of the Infotv. and the GDPR.
must be controlled legally, fairly, and in a manner transparent for the Data Subject,
can only be collected for definite, clear and legal purposes, and the Data Controller may not use them for purposes incompatible for the originally set purpose,
must be adequate and relevant for the purpose of the data controlling, and must be restricted to the necessary data,
must be accurate and up-to-date, if necessary; the Data Controller must take every reasonable action to ensure that personal data inaccurate for the purpose of the data controlling are immediately deleted or corrected,
must be stored in form making the identification of the Data Subject possible only for the duration necessary to achieve the objectives of the data processing,
must be controlled in a manner ensuring adequate security of the controlled personal data through the application of proper technical or organizational measures, including protection against unauthorized or illegitimate controlling, incidental loss, destruction of or damage to the controlled data.
The Data Processor
The Data Controller will use the Data Processor for certain parts of the Data Controlling activities.
Data Processors undertake Data Processing in the interest of the Data Controller; they are not entitled to make individual decisions about Data Controlling, and they can only act pursuant to the Data Controller’s instructions.
Provisions contained in this Policy applicable to the Data Controller shall also be mandatory for the Data Processors.
Data Processors are supervised by the Data Controller.
Data Processor1 is not entitled to assign Data Processing to additional Data Processors.
Controlled personal data
If the User wants to use the service as a private person, he/she must provide the following data to the Service Provider:
individual user name and password assigned to the User Account.
First and last name,
user name (if any),
other data indicated on the User’s Facebook profile as public data, i.e. data accessible by anyone.
During the Registration required for the use of the service, the User - provided that he/she is the representative/contact person of an organization, business association, enterprise of private entrepreneur with or without legal personality registered in one of the member states of the European Union and operating in compliance with the laws of Hungary - shall provide to the Service Provider the following data:
Purpose and legal basis of Data Controlling
use by the User of the service provided by the Service Provide, fulfillment of the contract entered into by and between the Service Provider and the User,
enforcement of the Service Provider’s other legitimate interests.
Additional objectives of Data Controlling are:
to ensure the opportunity for the Service Provider to maintain contact - via its representative - with organizations, business association, enterprise of private entrepreneur with or without legal personality registered in Hungary and operating in compliance with the laws of Hungary,
to prepare statistics and analyses following anonymization.
The Data Controller is not entitled to use the personal data for purposes other than those listed in Section 1 and 2.
The Data Controller is entitled to control Personal data submitted as part of Data Controlling based on the explicit consent of the Data Subject granted in form of Data controlling statement, furthermore in order to fulfill the service contract. The Data Controller is obliged to notify the Data Subject on the Data Controlling prior to giving such consent.
Method and duration of Data Controlling
All data - including personal data - submitted by the Data Subject are recorded and stored on the server operated based on the Data Processor’s commission for the purposes identified in Chapter V.
Personal Data are controlled in electronic format, in an encoded database. The Data Controller and the Data Processor are obliged to prevent Data Protection Incidents from happening by implementing IT protection adequate to the actual level of technological development that can be maintained and operated in a reasonable and economically viable manner.
The Data Subject warrants that he/she is the only one who can access the email account provided as personal data, and that he/she is the only one answering the submitted telephone number. The Data Controller disclaims liability in case, if the service provided under the GTC would concern any third party as a result of this third party using the email account or telephone number.
With respect to the applicable provisions of the GDPR, the Data Controller and the Data Processor are not obliged to appoint a data protection officer.
The Data Controller and the Data Processor must ensure that access to the controlled data is granted exclusively to persons participating in the provision of the service as per the GTC,
Duration of Data Controlling is in line with the effective date of the contract entered into with the Service Provider. In case, if the User deletes his/her User Account, the contract is considered terminated, in which case the User’s consent for Data Controlling shall be deemed revoked.
Data Controlling is canceled, and personal data of the Data Subject are deleted, if the Data Subject does not log in into his/her User Account for a period of 2 (two) years.
Data Controlling, provided that the Service Provider is bound by the law - including, but not limited to the provisions of Act C of 2000 on Accounting - may take longer than the period determined in Section 6.
The Service Provider - upon the User’s separate explicit consent - may send newsletters to the User.
Such newsletter service is provided by the Service Provider using the MailChimp newsletter software.
The Service Provider shall allow the User to unsubscribe from the newsletter at any time.
In case of subscribing to the newsletter service, the Service Provider shall forward the User’s email address to the server operated by MailChimp as described in Chapter X to use the MailChimp system for the provision of the newsletter service.
Should the User unsubscribe from the newsletter, the Service Provider shall delete the data of the User from the MailChimp system.
The Service Provider keeps records of the music channels listened to by the Users, the time spent listening to music, the duration of advertisements played while listening to music - and prepares anonymous statistics unsuitable for the identification of the User to determine the amount of consideration due for the ad time, as well as no-ads periods and personalized ads.
The Service Provider does not control the related individual data of the User, the listened music channels, the time spent listening to music or the duration of the advertisement listened to during this time.
In order to provide more personalized services, the Data Controller installs a small data package (so-called “remember me cookie”) to the User’s computer. The purpose of the cookie is the remember the User’s login details, so they don’t have to be entered for every log-in session. The cookie is not suitable for unique identification of the User.
The Service Provider uses Google Analytics to follow up website statistics, which installs cookies on the User’s computer.
Data related to the Website visits recorded in the cookies (together with the time of the visit and the User’s IP address) are transferred to and stored on the servers of Google USA. Google uses this data to evaluate the User’s website visiting habits and assemble reports on these habits for the Service Provider and to provide other services related to the Website and to the use of the internet.
Further information is available on: https://www.google.com/analytics/
Installation of cookies can be prevented by adequate setting of the browser.
If the User would like to manage his/her cookie settings or to ban this function, he/she can do it in the browser of his/her own IT device. Locations of cookies can be found depending on the tool bar of the browser, in most cases, however, you can enable or disable individual tracking functions on your IT device in the Settings menu, under the Data Protection sub-menu.
In agreement with provisions set forth in Chapter VII, should the User subscribe for the newsletter service, then the Service Provider shall transfer the User’s email address to the server of Data Processor2 located in the United States.
In case if the User do not block the installation of cookies to his/her electronic device, then his/her IP address will be forwarded to one of the servers of Data Processor3 located in the United States.
The Data Controller is obliged to keep records of such data transfer.
The User acknowledges that his/her following personal data stored by the data controller [FitRadio Kft.] (8600 Siófok, Béri Balog Ádám utca 47.) in the user database of [www.fitradio.hu] are handed over to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.), as Data Processor. Scope of the data transferred by the data controller: [List of data forwarded by the FitRadio]. Nature and purpose of the data processing activity performed by the data processor can be found in the SimplePay Data Controlling information available in the following link: http://simplepay.hu/vasarlo-aff
Rights of the Data Subject in connection with Data Controlling
The Data Subject is entitled to request information from the Data Controller or from the Data Processor regarding data controlling at any time.
The Data Subject may request correction or modification of his/her personal data. Taking into consideration the purpose of Data Controlling, the Data Subject may request for completion of defective personal data.
The Data Subject may request deletion of his/her personal data controlled by the Data Controller.
Deletion can be refused, and further storage of personal data is regarded legitimate, if it is necessary to exercise the right to freedom of expression and information, for compliance with a legal obligation - especially those arising from the GTC - or for statistical purposes or to submit, enforce or defend legal claims.
The Data Controller shall in each case notify the Data Subject on the refusal of the deletion request, indicating the reason for the refusal. After the fulfillment of the requested deletion of personal data, the former (deleted) data cannot be restored any more.
In case, if the Data Subject opines that the Data Controlling is illegitimate, he/she may object the Data Controlling.
The Data Subject may request the Data Controller to restrict controlling of his/her personal data, if the Data Subject disputes the accuracy of the controlled personal data. In this case the limitation applies to the period available to the Data Controller to verify the accuracy of the personal data. The Data Controller shall mark the controlled personal data, if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly identified.
The Data Subject may request the Data Controller to restrict controlling of his/her personal data also in case, if the Data Controlling is illegitimate, but the Data Subject objects the deletion of the controlled personal data, and requests restricting their use instead.
Furthermore, the Data Subject may request the Data Controller to restrict controlling of his/her personal data, if the purpose of the Data Controlling has been achieved, but the Data Subject needs them to be controlled by the Data Controller to submit, enforce or protect legal claims.
The Data Subject are entitled to receive the personal data he/she submitted to the Data Controller in a broadly used format readable by machine; furthermore you are entitled to forward these data to a third-party data controller.
The Data Controller is obliged to keep records related to exercising rights by the Data Subjects.
Legal practice of the Data Subject described in this section can be deemed acceptable and authentic, if the statement related to the legal enforcement comes from the address or email address submitted by the Data Subject, furthermore, if the Data Subject certifies his/her identity in another adequate manner.
Data Protection incident
In case of a Data Protection Incident, the Data Controller must do its best to prevent or minimize material and non-material damages arising on behalf of the Data Subjects.
Upon becoming aware of a Data Protection Incident, the Data Controller must determine the nature of the Data Controlling Incident, then must make sure that all adequate technological defense and organizational arrangements have been made, especially including the notification of the competent data protection authority.
If possible, in case of a Data Protection Incident the Data Controller is obliged to notify the competent data protection authority within 72 (seventy two) hours as of becoming aware of the Data Protection Incident.
In order for the Data Subject to make the necessary precautionary measures, the Data Controller is obliged to notify the Data Subject on the Data Protection Incident without unreasonable delay after becoming aware of the incident, if it is highly probable that the Data Protection Incident represents high risk for the rights and liberties of the Data Subject. The provided information shall include the description of the nature of the Data Protection Incident, as well as recommendations to the Data Subject as to the mitigation of potential adverse impacts thereof.
The Data Controller is obliged to keep record of the Data Protection Incidents.
Enforcement of the rights
In connection with the Data Controlling, the Data Subject may contact the Data Controller by sending a letter to the registered addresses of any of the Data Processors, or send an electronic letter to email address email@example.com.
Data Subjects may submit their complaints related to Data Controlling to the Hungarian National Data Protection and Freedom of Information Authority (NAIH).
Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
postal address: 1530 Budapest, PO: 5.
address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Should his/her rights related to Data Controlling be violated, the Data Subject may go to court. At the Data Subject’s discretion, the lawsuit can also be launched before the tribunal competent according to the Data Subject’s residence or location.
This Data Controlling Policy shall be published on the Website, and effective as of date of its publication.
The Data Controller is obliged to unilaterally modify this Data Controlling Policy by publishing such modifications on the website.
Date: Budapest, Friday, May 25, 2018