Privacy Policy

Data Controller:
Dr. Katalin Mária Pallai (Registered Address: Austria, 1090 Vienna, Spittelauer Lände 15-21/1/19, Austrian Tax Number: 07360/7376)

As a service provider and data controller (hereinafter referred to as “Service Provider”), Dr. Katalin Mária Pallai adopts the following data protection and data management policy, effective from May 25, 2018, in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of April 27, 2016).

1. Definitions

1.1 Personal Data: Any information related to an identified or identifiable natural person (“Data Subject”). A natural person is identifiable if they can be identified directly or indirectly, particularly based on an identifier such as name, number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
1.2 Data Processing: Any operation performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, modification, retrieval, consultation, use, disclosure, transmission, dissemination, or making available by any means, alignment, combination, restriction, deletion, or destruction.
1.3 Data Processing Restriction: Marking stored personal data to limit future processing.
1.4 Profiling: Automated processing of personal data to evaluate specific personal aspects of a natural person, such as work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
1.5 Data Controller: Dr. Katalin Mária Pallai.
1.6 Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
1.7 Recipient: A natural or legal person, public authority, agency, or other body to whom personal data is disclosed, regardless of whether they are a third party.
1.8 Third Party: A natural or legal person, public authority, agency, or other body other than the Data Subject, Data Controller, Data Processor, or individuals authorized to process personal data under direct authority.
1.9 Data Subject’s Consent: A freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes, either by a statement or a clear affirmative action, signifying agreement to the processing of personal data.
1.10 Data Breach: A security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
1.11 Genetic Data: Personal data related to inherited or acquired genetic characteristics, carrying unique information about an individual’s physiology or health, primarily obtained from biological samples.
1.12 Biometric Data: Personal data resulting from specific technical processing related to physical, physiological, or behavioral characteristics of a person that enable their unique identification, such as facial images or fingerprint data.
1.13 Health Data: Personal data about an individual’s physical or mental health, including information about healthcare services received.

2. Data Processing and Protection

2.1 Personal data may only be processed for a specified purpose, to exercise a right, or fulfill an obligation (principle of purpose limitation).
2.2 The Data Subject has the right to be informed about the processing of their personal data, including its source, purpose, legal basis, and duration.
2.3 Only authorized employees, subcontractors, or data processors with a legitimate need can access personal data.
2.4 The Service Provider ensures that any request for data is assessed to determine whether the requested data is essential for the stated purpose.

2.5 Data Security Measures:

  • The Service Provider ensures the highest possible security of personal data.
  • Secure storage is maintained throughout the data processing period. Upon expiration, data is deleted or destroyed.
  • Data access rights are regularly reviewed and monitored.
  • Personal data is primarily stored in a computerized system; paper-based records are kept in a secure archive.
  • Electronic data is stored on cloud-based platforms with appropriate software security measures to prevent unauthorized access, modification, or destruction.

3. Categories of Personal Data Processed

3.1 The following data groups are managed within the organization:

  • Customer data
  • Business partner data
  • Direct marketing, market research, and public opinion research data
  • Regulatory compliance data
  • Data breach records

3.2 Processing of Customer Data:

  • The Service Provider processes the customer’s name, contact details (email, phone number), delivery address, and billing details for contract fulfillment.
  • Data is retained for the legally required period for tax and accounting purposes.
  • Customer complaints and claims are documented for dispute resolution.

3.3 Processing of Business Partner Data:

  • Business partners’ personal data (e.g., sole proprietors, subcontractors) are managed separately from customer data.

3.4 Direct Marketing and Market Research:

  • The Service Provider may use personal data for direct marketing and market research with prior consent.
  • The following data may be collected:
    • Name
    • Gender
    • Date and place of birth
    • Address
    • Phone number
    • Email address
    • Interests
  • The Data Subject has the right to:
    • Withdraw consent for marketing at any time.
    • Request deletion or restriction of their data.
    • Refuse participation in marketing research.

3.5 Handling Data Breaches:

  • The Service Provider must notify the relevant data protection authority within 72 hours of becoming aware of a data breach unless it is unlikely to result in a risk to individuals’ rights.
  • If the breach poses a high risk, affected individuals must also be informed.
  • Exceptions to individual notification apply if:
    • Data was encrypted or otherwise protected.
    • Post-breach measures have minimized risks.
    • Notification would require disproportionate effort (public notices may be used instead).

4. Data Subject Rights

4.1 The Data Subject has the right to:

  • Access their data
  • Request correction or deletion
  • Withdraw consent at any time
  • Restrict processing in certain cases
  • Object to data processing
  • Request data portability

4.2 The Data Subject may submit requests in writing via registered mail or email. The Service Provider must respond within 30 days.

4.3 Personal data will be deleted if:

  • It is no longer needed for the purpose it was collected.
  • The Data Subject withdraws consent.
  • The Data Subject objects, and there are no overriding legitimate reasons to continue processing.
  • Data was unlawfully processed.

5. Data Protection Officer (DPO)

5.1 Responsibilities of the DPO include:

  • Advising on GDPR compliance.
  • Monitoring data processing activities.
  • Cooperating with supervisory authorities.
  • Serving as the contact point for data subjects regarding privacy concerns.

5.2 The DPO is Dr. Katalin Mária Pallai.

If you have any concerns regarding data privacy, you may contact the DPO for further clarification or action.