PRIVACY NOTICE

 

Go Active Egészségklub Magyarország Kft. Registered office: 1075 Budapest, Holló utca 12-14.
Company register number: 01-09-729572 Tax number: 13326902-2-42
Manager: Judit Rohonczy Central phone number:+36(1) 878-1302

 

Go Active Egészségklub Magyarország Kft. (hereinafter referred to as Service Provider) is committed to protecting the data of the data subjects that contact it (hereinafter referred to as User or Customer) and properly informing them about processing of their personal data.

 

This Regulations contains the rules for processing, using, storing the Data of Users and Customers. It contains the most important data protection rules applying to processing of personal data necessary for fulfilling its tasks, in particular with respect to privacy requirements relating to processing, transmitting, disclosing of data and data process.

 

1) Legal base of processing 

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 96/46/EC (General Data Protection Regulation.)

Service Provider shall process the data processed by it only with the Customer’s voluntary consent or in the case of obligatory data supply stipulated by legal regulations. Recording and processing of personal data may only be carried out in a fair and lawful manner.

The scope of subject of the information Notice created pursuant to the obligations set out in Article 30 of the Regulation covers processing carried out by Service Provider and affecting all personal data processed by processor(s) on the basis of the Service Provider’s assignment, performed fully or partly by automated means and manually.

It shall be prohibited to use any personal data made available by any other controller for fulfilling the Service Provider’s tasks, for private purposes.

 

2) Legal regulations serving as basis of processing

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 96/46/EC (General Data Protection Regulation.)

Act CXII of 2011 on Informational Self-Determination and Freedom of Information.

Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services.

Act C of 2003 on Electronic Communications.

 

3) Purpose and purpose limitation of processing

3.1 The purpose of processing is for the Service Provider to identify the Users and/or Customers, exercise its rights and obligations based on legal regulations or Contract, and use them for statistical purposes and during its advertising activity, send them advertising messages as well as verify the standard of the service provided for Users and/or Customers.

3.2 The data subject shall be informed of the purpose of processing and who will process the data. Only data that are indispensable for implementing the purpose of processing, suitable for achieving the purpose and only to the extent and for the time necessary for the purpose may be processed.

3.3 Service Provider is entitled to unilaterally modify this Regulations any time and shall inform the User of this on the surface of the Website.

 

4) Processing activities carried out by the Service Provider

Providing physical training, massage and wellness services

Processing data of minors

Processing data relating to “Freezing”

Online purchase (www.goactive.hu)

Sending newsletters, direct marketing (in Hungarian/English)

Operating camera system

Cookies used on the Website

 

5) Definitions

security of personal data: practical, information technology and other technical kind of protection of the integrity and confidentiality of specific personal data – irrespective of the legal classification and information content of the data – as well as the totality of organizational, technical solutions and rules of procedure against unauthorized processing of personal data, in particular obtaining, processing, alteration and destruction of personal data on the basis of which the risk factors of processing – and thereby exposure to threats – can be reduced to the lowest rate through organizational, technical solutions and measures

processing: irrespective of the procedure applied (manual or computerized processing) any operation or set of operations which is performed on the data, such as in particular collection, entry, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure and destruction

controller: the natural or legal person, public authority or organization not constituting a legal entity who or which, alone or jointly with others, determines the purposes of the processing of personal data, adopts and implements or causes the processor assigned by it to implement the decisions on processing (including the means used); where the purposes and means of such processing are determined by Union or national law, the controller or the specific criteria for its nomination may be provided for by Union or national law

data process: performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data

processor: a natural or legal person or organization not constituting a legal entity who or which carries out data process, processes personal data on the basis of a contract, including contracts concluded pursuant to provisions of law

pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

recipient: a natural or legal person, public authority, agency or another body, to whom or which the personal data are disclosed, whether a third party or not, except for public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or national law, if during processing of personal data by such public authorities the applicable data protection rules according to the purposes of the processing are complied with

third party: a natural or legal person or organization not constituting a legal entity other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

consent of the data subject: any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she gives his or her clear consent to the processing of personal data relating to him or her – in full scope or extending to specific operations;

personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question

biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data

data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status

enterprise: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity

group of undertakings: a controlling undertaking and its controlled undertakings

supervisory authority: an independent public authority which is established by a Member State pursuant to Article 51

supervisory authority concerned: a supervisory authority which is concerned by the processing of personal data because:

the controller or processor is established on the territory of the Member State of that supervisory authority

data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

a complaint has been lodged with that supervisory authority

cross-border processing: either

processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State

relevant and reasoned objection: an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union

information society service: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council

international organisation: an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries

statistical data: descriptive data that cannot be associated with a determined natural person;

personal data: any data that can be associated with the data subject – in particular the data subject’s name, identification code and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject – and any conclusion that can be drawn from such data, regarding the data subject

filing system: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis

personal identification data: first name and family name, maiden name, gender, place and date of birth, mother’s maiden first name and family name, domicile, habitual residence, social security identification code (hereinafter referred to as Social Security number) such data collectively or any of them, if they are or might be suitable for identifying the data subject

restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future

profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

 

6) Providing physical training, massage and wellness services

6.1 Legal base of processed data

Processing by the Service Provider is pursuant to Article 6 paragraph (1) point (b) of the Regulation performance of the contract.

6.2 Purpose of processing

Identification before concluding the contract, concluding the contract, making contractual legal declaration.

6.3 Manner of storage of data

In printed form, paper based format, in electronic system. 

6.4 Scope of processed data

Public data of the enterprise

Contact person’s name

Telephone number

Email address

Name and phone number of third party to be notified in case of accident

Name, bank account number of financial institution

Customer’s name, address, phone number, email address, bank account number,

Copy of student card, pensioner card for verifying use of allowances

Making a facial image when using the service

6.5 Duration of processing

Service Provider shall process the data only for the duration while the purpose of processing that excluded erasure of the data exists. It shall inform the Data Subject or the Customer of the erasure or blocking of the data, except when non-performance thereof subject to the purpose of processing does not infringe the lawful interests of the data subject.

Service Provider shall keep records of the data electronically and in paper format in properly developed and equipped premises suitable for professional and safe retaining of the archives material.
 Storage of the electronic data is carried out by use of legal software, provided with proper mechanical and physical protection, with endpoint protections put in place, by applying backups.

The periods of processing are determined in accordance with the archives schedule of the internal regulations and the archiving rules of erasure and in compliance with statutory provisions applying to specific documents.

6.6 Controllers and processors

Service Provider is the Controller, does not engage any external processor. Employees are entitled to process and obtain knowledge of the data.

 

7) Processing data of minors

7.1 Legal base of processed data

Pursuant to Article 8 of the Regulation, conditions applicable to child’s consent in relation to information society services.

Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.

7.2 Purpose of processing

Keeping records of attendance in group or individual classes organized by the Service Provider.

7.3 Manner of storage of data

In printed form, paper based format, in electronic system.

7.4 Scope of processed data

User or Customer acknowledges that in accordance with Service Provider’s house rules persons below the age of 18 years shall be deemed as minors; consequently, they may not use the services provided by Service Provider independently. The data and information disclosed about the minors to the Service Provider originate every time from the User or Customer. The data are processed in connection with participation in the group or individual classes organised for children. Such as e.g. classes (swimming) for age groups.

7.5 Duration of processing

Service Provider shall process the data only for the duration while the purpose of processing that excluded erasure of the data exists. It shall inform the Data Subject or the Customer of the erasure or blocking of the data, except when non-performance thereof subject to the purpose of processing does not infringe the lawful interests of the data subject.

Service Provider shall keep records of the data electronically and in paper format in properly developed and equipped premises suitable for professional and safe retaining of the archives material.
 Storage of the electronic data is carried out by use of legal software, provided with proper mechanical and physical protection, with endpoint protections put in place, by applying backups.

The periods of processing are determined in accordance with the archives schedule of the internal regulations and the archiving rules of erasure and in compliance with statutory provisions applying to specific documents.

7.6 Controllers and processors

Service Provider is the Controller, does not engage any external processor. Employees are entitled to process and obtain knowledge of the data.

               

8) Processing data relating to freezing

8.1 Legal base of processed data

Processing by the Service Provider is pursuant to Article 6 paragraph (1) point (b) of the Regulation performance of the contract.

8.2 Purpose of processing

When concluding the contract, by accepting the GTC (General Terms and Conditions) it is possible to “freeze” the contract. In the case of medically certified freezing, the data subject may request extension of the term of the club membership contract to the determined time of the service purchased under the contract. The service is free of charge, if the data subject can certify this by a medical paper.

8.3 Manner of storage of data

In paper format, in photocopy.

8.4 Scope of processed data

The information regarding the data of the Data Subject stated in the certificate and limitation of the club membership owing to health reasons, disclosed by the physician.

8.5 Duration of processing

Service Provider shall process the data only for the duration while the purpose of processing that excluded erasure of the data exists, but maximum until the last day of freezing. After that, it will destruct the relevant personal data and information.

8.6 Controllers and processors

Service Provider is the Controller, does not engage any external processor. Employees authorised to do so are entitled to process and obtain knowledge of the data.

 

9) Online purchase (www.goactive.hu)

9.1 Legal base of processed data

Voluntary and clear consent of the Data Subject, by ticking the GTC and the Privacy Notice, checkbox in order to perform the contract.

9.2 Purpose of processing

The purpose of processing is identification before concluding online purchase contract, concluding the contract, making the contractual legal declaration, invoicing on the basis of the data specified for contact.

9.3 Manner of storage of data

In electronic system, in paper format in printed form.

9.4 Scope of processed data

Public data of the enterprise

Contact person’s name

Telephone number

Email address

Name and phone number of third party to be notified in case of accident

Name, bank account number of financial institution

Customer’s name, address, phone number, email address, bank account number,

Copy of student card, pensioner card for verifying use of allowances

User’s IP address

9.5 Duration of processing

Service Provider shall process the data only for the duration while the purpose of processing that excluded erasure of the data exists. It shall inform the Data Subject or the Customer of the erasure or blocking of the data, except when non-performance thereof subject to the purpose of processing does not infringe the lawful interests of the data subject.

Service Provider shall keep records of the data electronically and in paper format in properly developed and equipped premises suitable for professional and safe retaining of the archives material.
 Storage of the electronic data is carried out by use of legal software, provided with proper mechanical and physical protection, with endpoint protections put in place, by applying backups.

The periods of processing are determined in accordance with the archives schedule of the internal regulations and the archiving rules of erasure and in compliance with statutory provisions applying to specific documents.

 

9.6 Controllers and processors

Service Provider is the Controller, does not engage any external processor. Employees are entitled to process and obtain knowledge of the data.

 

10) Labour market databank

10.1 Purpose of processing

Participation in job applications for vacancies announced on the Service Provider’s website, instagram or facebook page. The purpose of processing the data is to find new staff members to fill the vacant positions.

10.2 Legal base of processing

The applicant’s expressed and clear consent, sending the CV and motivation letter, in electronic form, to the email address: allas@goactive.hu or info@goactive.hu.

10.3 Manner of storage of data

In electronic form

10.4 Scope of processed data

The data subjects concerned in processing of the data are the applicants; the CV and motivation letter made by them, the data disclosed on the basis of information considered important for them.

 10.5 Duration of processing

Until the consent of the applicant (data subject) is withdrawn, maximum for 1 year from receipt electronically. When engaged as a new employee, after that the provisions of the Labour Code apply.

 

11) Operating camera system

11.1  Legal base of processed data

The Customer’s consent if he or she enters the Service Provider’s premises. The Service Provider calls the attention to the electronic surveillance in accordance with legal regulations at the entrance and on the area of the Club both in text and image form.

11.2  Purpose of the processed data

The purpose of electronic surveillance is to provide protection of the person and property of visitors and protect human life and health in a part of the rooms of Service Provider. Service Provider deemed that the currently used system is necessary and proportionate taking account of the criteria of former particular security and health cases. Service Provider reviews the operating policy every 2 years with respect to compliance with and content adhering to privacy laws. During periodical revisions, it examines, among others, the following:

-whether the system continues to fulfil its purpose

-if there are any proper alternatives, and

-whether the purpose is in line with the Regulation.

11.3 Manner of storage of data

For the purposes of increased protection of privacy, Service Provider has the cameras set at an angle suitable for the purpose, if necessary, it dims, makes unrecognisable a part of the picture.

11.4  Scope of processed data

Recording the visitor’s facial image and behaviour.

11.5  Duration of processing

Maximum (3) three days from recording, if the recorded image or event is not used or no security event occurs.

11.6  Controllers and processors

The current club manager and the staff of the reception desk are the Controller and the Processor. The technical installation and maintenance of the camera system is carried out by Gelfor Data Kft. (1108 Budapest, Oltó utca. 12.). It has in place strict regulation and supervision over the operators’ rights in connection with access.

 

12) Cookies used on the Website

Service Provider will not collect any data not disclosed by them, other than those determined in this Privacy Notice.

The User and the Customer expressly acknowledge that for statistical purposes the Website records the User’s and Customer’s IP address, the start and end date and time of the visit and the title of the page inspected as well as the type of the User’s and Customer’s browser and operation system. The Website automatically carries out logging of the data set out in this clause and stores them for 1 year.

The User and the Customer also herewith expressly accepts that in order to ensure better service to meet the User’s and Customer’s needs it may place small packages, so-called Cookies on the User’s and Customer’s computer. Cookies are designed to record the visitor’s habits. The User and Customer are able to erase the Cookies from their own computer and can set their browser with a view to prohibiting use of Cookies.

Types of Cookies: session cookies, long term cookies, conversional cookies, tracking cookies, remarketing cookies, analytical cookies, inevitable cookies

Session cookies – cookies for short term:

They store information during use of the Website, after that they will be deleted.

Long term cookies – cookies for long term

Designed to provide better user experience during accessing the Website for the User and the Customer. Their storage depends also on the settings of the Internet browser used by the user.

Conversional cookies – conversional cookies

Enable analysis of specific sales channels.

Tracking cookies – follow up cookies

Together with conversion cookies, they enable more accurate channel analysis.

Remarketing cookies – cookies tracking purchasing habits

They track the User’s and Customer’s habits in using the Website; thereby they will receive contents and advertisements tailored to their specific needs.

Analytical cookies – analytical cookies

Track the User’s and Customer’s habits in using the Website.

Inevitable cookies – indispensable cookies

Provide data in connection with basic functions (e.g. search).

Service Provider uses the codes in particular of but not limited to the following services:

Code of Google Adwords remarketing tracking

Code of Facebook pixel

Statistical code of Google Analytics website

Every time when use is subject to registration, the user can any time modify or delete their registration in the own account section of the Website. The User acknowledges that deletion of the registration does not mean erasure of the data disclosed during registration.

Operator of the Website: PNGN Kft. 1034 Budapest, San Marco utca 19. I/1.

Storage site provider: Lajos Adrián Csánig individual entrepreneur  9700 Szombathely, Faludi Ferenc utca 16. 3/19.

 

13) Rights relating to processing

13.1 Information and right of access to personal data

The Data Subject shall have the right to request information from the controller with regard to their personal data at the contact details stated under the Legal Remedies clause. At the Data Subject’s request, it shall inform them without any delay. If the request for information is unlawful, it shall inform them within one month from receipt of the request at the latest of the reasons for the delay, and that the Data Subject may submit a complaint to the supervisory authority and may exercise their right of legal remedies. For foreign citizens, the Data Subject shall have the right to lodge their complaint also with the authority of their residence.

If the Data Subject’s request is clearly unfounded or– in particular owing to its recurring nature – is excessive, the controller may charge administrative costs incurred by providing the requested information or adopting the requested measure or may refuse taking measures upon the request.

13.2 Right to rectification

The Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her or completion of incomplete data. Not later than within one month from receipt of the request the Service Provider will carry out the modification and will send information of this by email. The document on request for rectification can be downloaded from the Website, from under the printed forms flap.

13.3 Right to erasure

The Data Subject shall have the right to obtain from the controller without undue delay the erasure of personal data concerning him or her. The document on request for erasure of data can be downloaded from the Website, from under the printed forms flap.

13.4 Right to restriction of processing

The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1)

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,

c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or the data subject has objected to processing pursuant to Article 21 (1).

2)

Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3)

A data subject who has obtained restriction of processing pursuant to paragraph (1) shall be informed by the controller before the restriction of processing is lifted.

Related notification obligation: The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17 (1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

  

 13.5 Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format (XLS, XML, CSV) and request transmission of those data to another controller.

Legal remedies

All Data Subjects shall have the right to lodge a complaint if they feel that the Service Provider has infringed their rights as a consequence of processing of their personal data.

You may indicate your possible complaints about processing at the following contact details:

In person: at the Go Active Health Club, to the Club Manager

By email: adatvedelem@goactive.hu

In letter: 1075 Budapest, Holló utca 12-14. Go Active Egészségklub Magyarország Kft. Judit Rohonczy manager.

Complaint to authority:  National Authority for Data Protection and Freedom of Information /NAIH

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Postal address: 1530 Budapest, Pf:.5.

Email: ugyfelszolgalat(kukac)naih.hu

URL: https://naih.hu

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

For foreign citizens, complaints can be lodged with the Hungarian authority and the authority appointed by the Member State of the residence.

Operator: Go Active Egészségklub Magyarország Kft.

Entry into effect:  25 May 2018