1. Purpose of the data processing information

The purpose of this document is for AW GROUP Zrt. (hereinafter referred to as the Company), operating the AW Cosmetics Cosmetic Shaping and Anti-Aging Aesthetic Center, as a data controller (hereinafter referred to as the Data Controller), to define the data protection rules, procedures and protection measures applicable to data classified as personal data applied and operating in the Data Controller's organization.

In this document, the Data Controller also informs its clients, partners, and all natural and legal persons who have any legally understandable relationship with the Data Controller and who are affected by its personal data processing, about the rules for the processing of personal data, the applied protection measures, procedures, and the method of data processing.

The purpose of this information is to set out the data protection principles and data protection policy applied by the Company, based on the relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) and Act CXII of 2011 on the Right to Information and Self-Determination (hereinafter: Info Act), and thus guarantee that customers are guaranteed the protection of their rights and adequate information regarding the processing of their data in all areas of the services provided by the Company.

The Data Controller further declares that it considers the right to informational self-determination important, with particular regard to personal data, and will take all available organizational operational, regulatory and technological measures within its scope to comply with and enforce these rights.

The current version of the Data Management Information is available on the website www.awcosmetics.hu. The Data Manager may change the Data Management Information at any time, in addition to publishing it on the website - as part of its information obligation.

2. Scope

 The provisions of the Notice shall apply to the protection of the personal and sensitive data of all customers residing at the Company's headquarters or premises and establishing contact with the Company.

3. Data protection organizations

The data protection organization:

• the data controller,
• the data processor.

The data controller is the natural or legal person who, alone or together with others, determines the purposes, legal basis and means of processing personal data.

Name of the Company as data controller:

Company name: AW GROUP Ltd.
Headquarters: 1031 Budapest, Apátkút u. 13.
Mailing address, complaint handling: 1031 Budapest, Apátkút u. 13.
Email: info@awcosmetics.hu
Phone number: +36 30 5205701
Website: http://www.awcosmetics.hu

A data processor is a natural or legal person or any other body that processes personal data on the instructions of the data controller and on its behalf and performs technical tasks related to data processing.

Name of data processor:
A data processor is an employee or agent of the Company who, based on the instructions and authorization of the Company's manager, processes the personal and sensitive data of customers and performs technical tasks related to data management.

4. Definitions of terms

"personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"data processing" means any operation or set of operations which is performed on personal data or data sets, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"restriction of processing" means the marking of stored personal data with a view to restricting their future processing;

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

"pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be identified without the use of additional information, provided that such additional information is stored separately and technical and organisational measures are taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person;

"filing system": a file of personal data, structured in any way - centralized, decentralized or according to functional or geographical aspects - which is accessible based on specific criteria;

"controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;

"processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

‘recipient’ means the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing;

"third party" means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"consent of the data subject" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

"data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

"undertaking": a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.

4. Data processing by the data controller and the personal data processed

1. Data related to the Company's services

Personal data: GDPR Article 4.
Any data, information or factor relating to an identified or identifiable natural person (“data subject”), on the basis of which the given natural person can be identified. These include in particular: name, number, location data, online identifier, data referring to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. The taking of photographs, audio or video recordings, and the collection of physical characteristics suitable for personal identification also qualify as personal data processing.

Special data: GDPR Article 9.
Within the scope of personal data, special data includes data indicating racial or ethnic origin, political opinions, religious or ideological beliefs, trade union membership, as well as genetic, biometric data, health data, data indicating the sex life and sexual orientation of natural persons, suitable for the unique identification of natural persons.
The processing of these data is only possible with the exclusive consent of the natural person concerned. If the data subject refuses consent, the processing of the special data specified above is prohibited.

When using the services and treatments provided by the Company, the Company requests personal data from its customers with content appropriate to each service. This data is provided on the data collection form, the consent declaration and other treatment information. The customer fills these out and makes them available to the Company before starting the service.

2. Data processing related to sending newsletters

The Company informs its Customers on a monthly basis about the expansion of its services, promotions and actions. Newsletters are sent to the e-mail addresses voluntarily provided by the Customers in advance, either by e-mail or by using newsletter sending software (Salonic system).

Subscription to the newsletter is based on voluntary consent and is done in person by filling out a form. It is not possible to subscribe directly from the website.

3. Data processing related to sending the birthday gift voucher

The Company provides a gift voucher or discount coupon to regular users of its services on their birthday by sending a direct e-mail or using the appointment booking system (Salonic system) to those customers who provide their date of birth and e-mail address as part of voluntary data provision.

4. Data processed during appointment booking

The Company's services are available by appointment. Appointments can be booked via the Salonic appointment booking system available on the Company's website, in person, by phone or by email.
The person initiating the appointment booking (hereinafter referred to as: Data Provider) must give their voluntary, clear, specific informed consent to the processing of personal data, depending on the method of booking the appointment, electronically (by e-mail), on the electronic interface (in the Salonic appointment booking system), or on paper (in the case of a personal appearance or telephone appointment booking, with subsequent confirmation of verbal consent), in accordance with the provisions of this information and the regulations indicated in the Salonic system.
The information can be viewed on the website www.awcosmetics.hu, the Data Controller will provide information about this by phone, but it can also be viewed and read in person at the Company's premises.

5. Data processed in connection with the payment of services used by the Company

The Company uses an electronic invoicing system, the www.szamlazz.hu issues invoices with data content in accordance with the Accounting Act via the application. An electronic copy of the invoices will be sent to the data subject by e-mail.

The legal basis for data processing is determined by law in the event of compliance with a legal obligation, so the consent of the Data Subject is not required for the processing of their personal data.

The Enterprise hands over the invoices and, if necessary, contracts for storage and registration to K+J Accounting Services Ltd. (hereinafter referred to as: Accountant), which provides accounting services to the Enterprise, and ensures their preservation for the period specified in accounting regulations.

6. Data processing activities related to the performance of contracts

The Enterprise also handles the processing of personal and business data of persons contracting with it in connection with the contractual relationship, and makes the contracts available to the Accountant if necessary.

7. Data processing activities related to the operation of the Website

Technical data: technical data are data that are mostly generated and recorded automatically during the operation of the Data Controller's systems. Some technical data are stored by the system without a separate declaration or action of the Data Subject and in some cases are automatically logged. Technical data are not directly suitable for identifying the Data Subject, but they can be linked to user data, so identification may be possible. The Data Controller does not create such data links, except in cases where the Data Controller is obliged to do so by law. Only the Data Controller and its Data Processors have access to technical data.

Cookie: During visits to the Website, the Company sends one or more cookies – i.e. a small file containing a string of characters – to the visitor's computer, through which their browser can be uniquely identified. These Cookies are provided by Google and are used through the Google Analytics system. These Cookies are only sent to the visitor's computer when certain subpages are visited, so they only store the fact and time of visiting the given subpage, and no other information or data.

Cookies used:

1. a) temporary cookie: automatically deleted after the data subject's visit. These cookies are used to make the Company's website more efficient and secure, and are therefore essential for certain functions of the website or certain applications to function properly.
2. b) persistent cookies: the Company also uses persistent cookies to improve the user experience (e.g. to provide optimized navigation). These cookies are stored in the browser's cookie file for a longer period of time. The duration of this depends on the settings of the Data Subject in their internet browser.
3. c) Security cookie: external servers help to independently measure and audit the Website's traffic and other web analytics data (Google Analytics). Data controllers can provide detailed information to the Data Subject about the management of the measurement data.

Contact them: www.google.com/analytics

If the Data Subject does not want Google Analytics to measure the above data in the manner and for the purpose described, they should install the add-on that blocks this in their browser.

The "Help" function in the menu bar of most browsers provides information on how to disable cookies in your browser, how to accept new cookies, or how to instruct your browser to set a new cookie or how to disable other cookies.

Hosting provider:
Name: Websupport Hungary Ltd.
Headquarters: 1132 Budapest, Victor Hugo Street 18-22.
Contact: +36 1 700 4140, info@tarhelypark.hu

8. Data related to social media sites

The Company is available on the Facebook social portal, Instagram, and Google+ social network.

The use of the social network and the contact and maintenance of contact with the Data Controller through it, and other operations permitted by the social network, are based on voluntary consent. The data subjects are those natural persons who voluntarily follow, share, like, and evaluate the data controller's social networks or the content appearing on them.

The following data is processed on social media sites:
Name (username): for identification purposes,
e-mail address: for contact purposes,
operation (e.g. evaluation, question condition): in order to provide an answer.

The Data Controller communicates with the Data Subjects via the social network only when, and thus the purpose of the scope of the processed data becomes relevant when the Data Subject contacts the Data Controller via the social network.

The purpose of the presence on social media portals and the related data management is to share and publish the content on the website on social media, i.e. the marketing of the Data Controller.
The Data Subject voluntarily consents to data processing based on the terms of the social network, for example by following and liking the Data Controller's content.
The Data Subject may rate the Data Controller in text and numerical form, if the social network allows this.
The Data Controller also publishes images/video recordings on its social media page about various events, the Data Controller's services, etc. If the recordings are not mass recordings or recordings of public appearances (Section 2:48 of the Civil Code), the Data Controller always requests the consent of the Data Subject before publishing the images.
The Data Subject can receive information about the data processing of the given social media site on the given social media site.
Duration of data management: until deletion at the request of the Data Subject.
Method of data processing: electronically, automatically.
The source of the data is directly from the Data Subject.
Automated decision-making profiling: this does not occur in connection with data processing.
The Data Controller draws attention to the fact that the organization operating the given social media site, as the Data Controller, may perform profiling or other automated data processing, but in this case the data controller will be the organization operating the social media site.

5. Rights of Data Subjects regarding the processing of their data

1. Right to information

The data subject has the right to receive information related to data processing before the start of the activity aimed at processing his/her data.

Information to be provided: contact details of the data controller, the purpose of the intended processing of personal data, the legal basis for the processing, the period for which the personal data will be stored, or if this is not possible, the criteria for determining this period.

The data subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and may object to the processing of such personal data, as well as the right to data portability of the data subject.

2. Right of access

The Data Subject has the right to receive feedback from the Data Controller as to whether his/her personal data is being processed; and if such processing is taking place, he/she has the right to access the personal data and the following information:

• the purposes of data processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
• where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
• the right of the data subject to request from the controller the rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;
• the right to lodge a complaint with a supervisory authority;
• if the data were not collected from the data subject, all available information regarding their source.

The Data Controller shall provide the Data Subject with a copy of the personal data subject to data processing.

3. Right to rectification

The Data Subject shall have the right to obtain from the Controller, upon request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the processing, the Data Subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

4. Right to erasure

The Data Subject has the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data concerning the Data Subject without undue delay if one of the following reasons applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• the personal data has been processed unlawfully.

Where the controller has made personal data public and is obliged to erase them at the request of the data subject, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, the personal data concerned.

5. Right to restriction of data processing

The Data Subject has the right to request that the Data Controller restrict data processing if one of the following applies:

• the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;
• the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
• if another data subject has objected to the data processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate grounds of the data controller override those of the data subject.

6. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided.

When exercising the right to data portability, the data subject has the right - if technically feasible - to request the direct transmission of personal data between data controllers.

The aforementioned right shall not apply if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This right may not adversely affect the rights and freedoms of others.

7. The right to protest

The data subject shall have the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her carried out in the public interest or in the exercise of official authority vested in him or her, or to processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If the personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

8. Right to be exempt from automated decision-making

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The previous paragraph shall not apply if the decision:

• necessary for the conclusion or performance of a contract between the data subject and the data controller;
• or is permitted by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or is based on the data subject's explicit consent.

9. The data subject's right to complain and seek legal redress

The data subject has the right to lodge a complaint with the supervisory authority if, in the opinion of the data subject, the processing of personal data concerning him or her has been infringed.

The data subject may exercise his/her right to file a complaint at the following contact details:
National Data Protection and Freedom of Information Authority,
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c,
Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410
e-mail: ugyfelszolgalat@naih.hu http://www.naih.hu,

The supervisory authority to which the complaint has been submitted is obliged to inform the client about the procedural developments related to the complaint and its outcome, including the client's right to seek judicial redress.

10. Information about a data breach

A data breach is defined by the relevant legal regulation as a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A data breach includes the loss or theft of a device (laptop, mobile phone) containing personal data, infection by ransomware that makes data processed by the data controller inaccessible until a ransom is paid, an attack on an IT system, the publication of an email or address list containing personal data sent in error, etc.

If a data breach is detected, the Company representative will immediately conduct an investigation to identify the data breach and determine its possible consequences. The necessary measures must be taken to prevent damage.

The data processing incident record contains the following elements:

• Date, time,
• Incident description,
• Group and number of people affected,
• Likely consequences for those affected,
• Has official notification been made and if so, when?

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the data breach without undue delay.

The information provided to the data subject must clearly and intelligibly describe the nature of the data protection incident and provide the name and contact details of the data protection officer or other contact person who can provide further information, the likely consequences of the data protection incident, the measures taken or planned by the data controller to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

The data subject does not need to be informed if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the data breach, which render the data unintelligible to persons not authorised to access the personal data;
• the data controller has taken further measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
• information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly published information or a similar measure should be taken to ensure that the data subjects are informed in a similarly effective manner.

If the data controller has not yet notified the data subject of the data breach, the supervisory authority may, after considering whether the data breach is likely to involve a high risk, order the data subject to be informed.

11. Deadline for action

The data controller shall inform the Data Subject of the measures taken in response to the requests without undue delay, but in any case within 1 month of receipt of the request.

If necessary, this may be extended by two months. The Data Controller shall inform the Data Subject of the extension of the deadline, indicating the reasons for the delay, within one month of receipt of the request.

If the Data Controller does not take action following the Data Subject's request, it shall inform the Data Subject without delay, but no later than one month from the receipt of the request, of the reasons for the failure to take action and of the possibility of lodging a complaint with a supervisory authority and exercising their right to judicial remedy.

12. Security of data processing

The Company may only process personal data in accordance with the activities set out in this policy and for the purpose of data processing.

The controller and the processor shall implement appropriate technical and organizational measures, taking into account the state of the art and the costs of implementation, the nature, scope, circumstances and purposes of the data processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the degree of risk. The encryption of personal data, the continued confidentiality, availability and resilience of systems and services used to process personal data, the ability to restore access to and the availability of personal data in a timely manner in the event of a physical or technical incident, and a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures taken to guarantee the security of data processing.

The Company takes appropriate measures to protect data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, and against inaccessibility resulting from changes in the technology used.

When defining and applying measures to ensure data security, the Company takes into account the current state of technology and, in the event of multiple possible data management solutions, chooses the solution that ensures a higher level of protection of personal data, unless this would pose a disproportionate difficulty.