Privacy Policy
For visitors to
www.menzoudent.com
operated by Menzou Dental Kft.
Please read this Notice carefully to understand how we process your personal data and your rights in relation to data processing.
Introduction
The Data Controller processes the data of visitors to the above-mentioned website to provide them with appropriate services during the operation and management of the website. The Data Controller fully intends to comply with the legal requirements for the processing of personal data. Therefore, this privacy notice has been prepared based on Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) on the protection of natural persons regarding the processing of personal data and on the free movement of such data, taking into account the content of Act CXII of 2011, which addresses the right to informational self-determination and freedom of information. In the course of its business and economic activities, the Data Controller pays special attention to the protection of personal data, compliance with mandatory legal provisions, and the safe and fair processing of data. The Data Controller treats personal data confidentially as set out in this notice, and takes all necessary security, technical, and organizational measures to ensure the safety of the data and compliance with data protection and data security regulations. The Data Controller considers it important to respect and enforce the data processing rights of its Clients, Partners, and all other natural persons concerned (hereinafter: Data Subjects). Therefore, the Data Controller undertakes to ensure that its data processing related to its services complies with the requirements set out in applicable laws. Menzou Dental Ltd. (hereinafter: Data Controller) as the data controller, respects the privacy of all individuals who provide personal data and is committed to protecting it. The following information is provided pursuant to Article 13 of the General Data Protection Regulation (GDPR) of the European Union (Regulation No. 679/2016):
Data of the Data Controller:
Name: Menzou Dental Korlátolt Felelősségű Társaság
Head office: 1012 Budapest, Vérmező st 6. downstairs.1.
Tax number: 25787050-2-41
Represented by: dr. Fouzi Menzou Executive Director
E-mail: info@menzoudent.com
Privacy notice
contact: On the Data Controller’s website, https://menzoudent.com
Requests for data protection: If you have any requests or questions regarding data management, you can send your request by post to 1012 Budapest, Vérmező út 6. fszt.1., or electronically to info@menzoudent.com. We will send our response without delay, but no later than 30 days to the address you provided.
Data processing: The individuals detailed below carry out data processing.
Transfer to foreign countries: No data is transferred abroad.
1. Principles and legal basis for data processing legality
The Data Controller declares that it processes personal data in accordance with this privacy notice and complies with the relevant legal provisions, with particular attention to the following:
- Personal data must be processed lawfully, fairly, and in a transparent manner for the data subject.
- Personal data must be collected for specified, explicit, and legitimate purposes only.
- The purpose of processing personal data must be appropriate and relevant, and limited to what is necessary.
- Personal data must be accurate and up-to-date. Inaccurate personal data must be deleted or corrected without delay.
- Personal data must be stored in a manner that allows the identification of data subjects only for as long as necessary. Personal data may be stored for longer periods only if the storage is for purposes of public interest archiving, scientific and historical research, or statistical purposes.
- Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
The principles of data protection must be applied to all information relating to an identified or identifiable natural person.
1.1. The legal basis and lawfulness of data processing:
The processing of personal data is lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of their personal data for one or more specific purposes;
the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
the processing is necessary for compliance with a legal obligation to which the data controller is subject;
the processing is necessary to protect the vital interests of the data subject or of another natural person;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
the processing is necessary for the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.
If personal data is collected with the consent of the data subject, the Data Controller may process the collected data without further consent, and even after the withdrawal of consent, for the purpose of fulfilling legal obligations, performing a contract, protecting the vital interests of the data subject or another natural person, or for the legitimate interests of the Data Controller or a third party, provided that the legal conditions are met.
Personal data may be transferred and different data processing operations may be connected if the data subject has consented to it, or if it is permitted by law, and if the conditions for data processing are met for each personal data.
Personal data may be transferred from the country to a data controller or data processor in a third country – regardless of the data carrier or method of data transfer – if the data subject has expressly consented to it, or if permitted by law, and if an adequate level of protection for the personal data is ensured during their processing in the third country.
In the case of mandatory data processing, the purpose and conditions of data processing, the range of data to be processed and their accessibility, the duration of data processing, and the identity of the Data Controller shall be determined by the law or municipal decree ordering the data processing.
Data processing based on the performance of a legal obligation is independent of the data subject’s consent since the data processing is determined by law. In such a case, the data subject must be informed before the commencement of data processing that the data processing is mandatory, and the data subject must be clearly and comprehensively informed of all facts related to the processing of their data before the commencement of data processing, particularly about the purpose and legal basis of the data processing, the person authorized to process the data, the duration of data processing, and who can access the data. The information must also cover the data subject’s rights and remedies related to data processing. In the case of mandatory data processing, the information can also be provided by publicizing the legal provisions containing the aforementioned information.
The law may order the publication of personal data for public interest – with the explicit specification of the data range. In all other cases, the publication requires the consent of the data subject, and in the case of special data, written consent is needed. In case of doubt, it should be presumed that the data subject has not given their consent. The data subject’s consent shall be deemed to have been given for data disclosed or provided by them for the purpose of publication during their public role. In a procedure initiated at the request of the data subject, it shall be presumed that the data subject has consented to the processing of the necessary data. The data subject must be informed of this fact. The data subject may also give their consent within the framework of a written contract with the Data Controller for the purpose of fulfilling the contract. In this case, the contract must contain all the information that the data subject needs to know from the perspective of personal data processing, particularly the specification of the data to be processed, the duration of data processing, the purpose of use, the transfer of data, and the use of a data processor. The contract must unambiguously state that by signing, the data subject consents to the processing of their data as specified in the contract.
The right to the protection of personal data and the data subject’s personality rights – unless the law provides otherwise – cannot be violated by other interests related to data processing, including the transparency of public interest data.
Personal data may also be processed if obtaining the data subject’s consent is impossible or would involve a disproportionate effort, and the processing of personal data is necessary for the fulfillment of a legal obligation of the Data Controller, or for the legitimate interest of the Data Controller or a third party, provided that this legitimate interest is proportionate to the restriction of the right to personal data protection.
If the data subject cannot give their consent due to incapacity or other unavoidable reasons, their personal data may be processed to the extent necessary for the protection of the vital interests of the data subject or another person, and for the prevention or avoidance of a direct threat to the life, health, physical integrity, or property of individuals.
2. Specific data processing related to the Data Controller’s website:
Our website is informal in nature, serving marketing and informational purposes. Additionally, you can contact our Company through our website.
2.1. Data processing related to website visitors:
When using our website, certain data is automatically recorded from your device or browser when visiting the website. You can find more information about these processes on the Cookie Policy page!
3. The method and security of data processing
The Data Controller ensures the security of the data and takes the necessary technical and organizational measures and establishes the procedures necessary to enforce the GDPR and other data and secrecy protection regulations. The Data Controller protects personal data from unauthorized access; unauthorized alteration; unauthorized transmission; unauthorized disclosure; unauthorized or accidental deletion, destruction; damage; and from becoming inaccessible due to changes in the applied technology.
The website operates through SSL encryption (https).
Emails are operated through Google’s servers.
Personal data (applications) are accessible through a password-protected administrative interface.
Paper-based documents are stored in a locked office, in a locked cabinet.
In the event of data loss due to the Data Controller’s fault, the Data Controller is obliged to restore the data free of charge.
4. Rights of the person concerned:
4.1. Rights of persons concerned
According to the provisions of the GDPR and the Info Act, natural persons may request the Data Controller to provide information about the processing of their personal data; access to and rectification of their personal data; deletion or restriction of their personal data; and they may express their objection to the processing of their personal data and exercise their right to data portability.
Right to Information and Access
Upon the request of the data subject, the Data Controller shall provide information during the data processing period about the data processed by it, their source, the purpose, legal basis, and duration of the data processing, the name and address of the data processor, and its activities related to data processing, the circumstances of any data protection incident, its effects, and the measures taken to mitigate it, as well as who and for what purpose could access the personal data. If the data subject’s data has been transferred, the data subject may receive an extract from the data transfer register related to them. The Data Controller shall provide the information without unreasonable delay, in an understandable form, within the shortest possible time from the submission of the request, but no later than 30 (thirty) days. The provision of information is free of charge if the requester has not yet submitted a request for information to the Data Controller for the same scope of data in the current year. The Data Controller may refuse to provide information if the data subject does not request information about their own data, if the person requesting information cannot credibly prove that they are the person concerned by the data processing, if the law excludes the provision of information, or if the Data Controller receives the data from another data controller under legal or international treaty provisions that restrict the data subject’s right to information. The Data Controller is only entitled to provide information to the data subject and persons authorized by them in a fully proven private document. In the case of refusal to provide information, the Data Controller shall inform the requester of the legal basis for the refusal. In the event of refusal, the Data Controller shall inform the data subject about the possibility of judicial remedy and the right to appeal to the National Authority for Data Protection and Freedom of Information. The Data Controller shall notify the National Authority for Data Protection and Freedom of Information annually by January 31 of the following year of the rejected requests.
Right to rectification
The data subject may request the rectification of their personal data, meaning they have the right to request the Data Controller to rectify any inaccurate personal data concerning them without undue delay, and also request the Data Controller to complete their personal data if it is incomplete. If the correct personal data is available to the Data Controller, the Data Controller shall rectify the personal data without delay. The Data Controller shall examine the rectification request without undue delay, within the shortest possible time from its submission, but no later than 30 (thirty) days, and inform the requesting person in writing of its decision and the available legal remedies.
Right to erasure, restriction
The data subject has the right to request the Data Controller to delete personal data concerning them without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
- the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
- the personal data has been unlawfully processed;
- the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject;
Right to restriction of processing
The data subject has the right to request the data controller to restrict processing if one of the following applies:
- the data subject contests the accuracy of the personal data, in which case the restriction applies for a period enabling the data controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the data controller no longer needs the personal data for the purpose of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
- the data subject has objected to processing; in this case, the restriction applies for the period during which it is verified whether the legitimate grounds of the data controller override those of the data subject.
Right to Object
The data subject may object to the processing of their personal data. The Company shall examine the objection without delay, within the shortest possible time from the submission of the request, but no later than 30 (thirty) days, decide on its merits, and inform the requester of its decision in writing.
The data subject may object to the processing of their personal data in the following cases,
- if the processing or transfer of personal data is necessary solely for the fulfillment of the legal obligations of the data controller or for the enforcement of the legitimate interest of the data controller, data recipient, or a third party, except in cases of mandatory data processing;
- if the personal data is used or transferred for direct marketing, public opinion polling, or scientific research purposes; and
- in other cases specified by law.
If the data subject’s objection is justified, the Data Controller shall cease the data processing, including further data collection and transmission, and shall delete or restrict the data, as well as inform all those to whom the personal data affected by the objection was previously transmitted and who are required to take action to enforce the right to object. If the Office disagrees with the data subject’s objection, or if the Office fails to review and decide on the objection within the deadline, the data subject may appeal to the court within 30 days from the notification of the decision or from the last day of the deadline.
Rights of Data Subjects Regarding Automated Decision-Making and Profiling
The Data Subject has the right to request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except if the decision:
- is necessary for the conclusion or performance of a contract between the Data Subject and the Data Controller;
- is authorized by Union or Member State law applicable to the Data Controller, which also lays down suitable measures to safeguard the Data Subject’s rights, freedoms, and legitimate interests; or
- is based on the Data Subject’s explicit consent.
In the cases mentioned in points 1 and 3, the Data Controller is obliged to take appropriate measures to protect the Data Subject’s rights, freedoms, and legitimate interests, including at least the right of the Data Subject to request human intervention on the part of the Data Controller, to express their point of view, and to contest the decision.
Notification Related to Rectification, Deletion, or Restriction of Data Processing
The Data Controller shall inform each recipient to whom the personal data has been disclosed of any rectification, deletion, or restriction of processing, except where this proves impossible or involves disproportionate effort. At the request of the Data Subject, the Data Controller shall inform the Data Subject about those recipients.
Notification of the Data Subject about a Data Protection Incident
If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the Data Subject of the data protection incident without undue delay. The notification shall clearly and comprehensibly describe the nature of the data protection incident, provide the name and contact details of the data protection officer or other contact point where more information can be obtained, describe the likely consequences of the data protection incident, and describe the measures taken or proposed by the data controller to address the data protection incident, including, where applicable, measures to mitigate any adverse effects of the data protection incident.
The Data Subject does not need to be informed if any of the following conditions are met:
- the Data Controller has implemented appropriate technical and organizational protection measures, and these measures were applied to the data affected by the data protection incident, in particular, measures such as encryption, which make the data unintelligible to unauthorized persons.
- the Data Controller has taken additional measures following the data protection incident that ensure that the high risk to the rights and freedoms of the Data Subject is no longer likely to materialize;
- the notification would require disproportionate effort.
In such cases, the Data Subjects must be informed by publicly disclosed information or by taking similar measures that ensure similarly effective information to the Data Subjects. If the Data Controller has not yet informed the Data Subject about the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to result in a high risk, may order the Data Subject to be informed, or may determine that a condition exists that makes notification unnecessary.
4.2. The submission of the request by the Data Subject, the measures taken by the Data Controller
The Data Controller facilitates the exercise of the Data Subject’s rights set out in this chapter and in legislation. The Data Controller cannot refuse to fulfill the Data Subject’s request to exercise their rights, except if the Data Controller proves that it is unable to identify the Data Subject. The Data Controller shall inform the Data Subject without undue delay, but no later than 30 (thirty) days from the receipt of the request, about the measures taken following the Data Subject’s request to exercise their rights. If necessary, considering the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the Data Subject about the extension of the deadline within one month from the receipt of the request, stating the reasons for the delay.
The information shall be provided electronically where possible, unless the Data Subject requests otherwise.
If the Data Controller does not take action on the Data Subject’s request, the Data Controller shall inform the Data Subject without delay, but no later than 30 (thirty) days from the receipt of the request, of the reasons for not taking action, and of the Data Subject’s right to lodge a complaint with a supervisory authority and to seek judicial remedy.
The Data Controller shall provide information relating to personal data processing, information about the Data Subject’s rights, and measures free of charge. If the Data Subject’s request is manifestly unfounded or excessive, particularly because of its repetitive nature, the Data Controller, taking into account the administrative costs of providing the requested information or communication or taking the requested action:
- may charge a fee, or
- may refuse to act on the request. The burden of proving that a request is manifestly unfounded or excessive lies with the Data Controller. If the Data Controller has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the Data Subject.
5. Remedy
5.1 Information, complaint
If the Data Subject believes that their rights relating to the processing of personal data have been violated, they may contact the Data Controller for information and to exercise their rights using the provided contact details.
5.2 Complaints to the Authority
For further remedies, complaints may be submitted to the National Authority for Data Protection and Freedom of Information. The Authority will only investigate complaints if the data subject has already contacted the data controller regarding the exercise of the rights mentioned in the complaint before submitting a report to the Authority.
In case of violation of their rights, the data subject may turn to the court or the data protection authority against the data controller. Remedies and complaints can be submitted using the following contact details:
Nemzeti Adatvédelmi és Információszabadság Hatóság
Address: 1055 Budapest, Falk Miksa str 9-11.
Post address: 1363 Budapest, Pf.: 9.
Phone:
+36 (30) 683-5969
+36 (30) 549-6838
+36 (1) 391 1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: naih.hu
6. Processors (Scope of Persons Knowing the Data, Data Transfer, Data Processing)
The data can primarily be accessed by the Data Controller, but it is not made public or transferred to third parties, except for processors and cooperating external service providers. For the fulfillment of orders, ensuring the operation of services, and settling accounts, the Data Controller may use processors or cooperate with external service providers.
Data controllers
Regarding clients, the Data Controller transfers data to the following companies and uses the following processors. The processors do not make independent decisions; they are only authorized to act in accordance with the contract with the Data Controller and the instructions received. The processors record, manage, and process the personal data transferred to them by the Data Controller or processed by them in accordance with the provisions prescribed by the GDPR.
Hosting service:
Name / Company name: Sybell Informatika Kft.
Head office: 1158 Budapest, Késmárk u. 7/B 2. em. 206.
Phone: +36 1 707 67 27
E-mail: info@sybell.hu
Contact details of the Privacy Policy: https://sybell.hu/adatvedelmi-tajekoztato/
The data provided by you is stored on a server operated by the hosting service provider. Only the Data Controller, the IT specialist/web developer, and the employees operating the server have access to the data, but they are all responsible for securely handling the data.
Title of the activity: hosting services, server services.
Purpose of data processing: to ensure the operation of the website.
Scope of the data processed: The personal data previously listed in the Data Management Information.
Duration of Data Processing and Data Deletion Deadline: Data processing shall continue until the end of the operation of the website or according to the contractual agreement between the website operator and the hosting service provider. The data subject may also request the deletion of their data by contacting the hosting service provider if necessary.
Legal basis for data processing: GDPR Article 6(1)(b) the processing is necessary for the performance of a contract to which the data subject is a party.
7. Other provisions, entry into force
This data management information is published by Menzou Dental Kft. (Data Controller) on its website (www.menzoudent.com).
The Data Controller may unilaterally amend this notice. The current notice is available on the Data Controller’s website, and any modifications to the notice will also be communicated there.
Dated: Budapest, 01 December 2024.
Menzou Dental Kft.
Represented by: Fouzi Menzou M.D. Executive Director
