Privacy Policy

The purpose and scope of application of the present Privacy Policy, relevant laws

The purpose of the present Policy is to establish the principles of data protection and controlling used by TRÉNER FLIGHT ACADEMY Korlátolt Felelősségű Társaság (seat: 4400 Nyíregyháza, Repülőtér 1.; registration number.: 15-09-084850, hereinafter referred as: “Company” or “Controller”) and the company’s policies in data protection and controlling that the company as data controller accepts as bounding.

During the establishment of the present Policy the company particularly considered the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or ”GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Privacy Act”), Act V of 2013 on the Civil Code (“Civil Code”), and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“Advertising Act”).

The scope of the present Privacy Policy shall cover the control of personal data provided at the www.[*].hu website (hereinafter: “Website”).

2. Definitions

Controlling: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller or Controller: the person or persons determined by Section 3, who alone or jointly with others, determine the purposes and means of the control of personal data.
Personal data or data: any data or information, based on which a natural person User can be identified, directly or indirectly.
Processor: the service provider who processes personal data on behalf of the Data controller.
Data Subject: a natural person who provides their personal data to the Data Controller or their personal data is provided to the Data Controller by a third person.
Subcontractor: a business entity with or without legal personality which acts as an agent the Data Controller in the course of the rendering of relocations management services based on the service agreement conducted between the subcontractor and the Data Controller
Policy: the present Privacy Policy of the Data controller.

3. The identity and activity of the Data Controller

Data controller is TRÉNER FLIGHT ACADEMY Korlátolt Felelősségű Társaság (seat: 4400 Nyíregyháza, Repülőtér 1.; registration number.: 15-09-084850; e-mail: [*]). The personal data of the Data Subjects is controlled by the Data controller in connection with the carrying out of the activities by Data Controller determined by the present Policy.

Controller is a business enterprise registered under the laws of Hungary.

The Controller operates the Website the purpose of which is to provide information on the activities carried out by the Data Controller, and also to provide the User with the option of subscribing to the newsletter and advertisement sending service.

4. The principles and the method of the data control, relevant laws

4.1 Controller performs the data control in accordance with the requirements of good faith, transparency and fair dealing, and in cooperation with the Data Subjects. Controller only controls the data determined by law or provided by the Data Subjects with the purposes set forth in the present Policy. The scope of the controlled Personal data is proportionate to the purpose of the controlling and cannot extend beyond it.

4.2. In every situation, when Controller wishes to use Personal data for a purpose different from the original purpose of the collection of data, Controller informs the Data Subject, obtains his or her consent, and provides the Data Subject with the possibility of forbidding the usage.

4.3 Controller does not inspect the provided Personal data. The person providing the data is exclusively responsible for the accuracy of the provided data.

4.4 Controller does not transfer the controlled Personal data to third parties other than the Processors listed in the present Policy.

Controller in certain cases (e.g. in case of official legal, police requests, legal procedure, violation of copyright, property or other rights or reasonable grounds to these, the infringement of Collector’s interests, the endangerment of the service providing etc.) makes the affected Data Subject’s Personal data available to third persons.

4.5. Controller notifies the affected Data Subject and all the third parties to which the data was transferred with the purpose of data control about the correction, restriction and erasure of the controlled personal data. The notification may be omitted if, taking into consideration the purpose of the Controlling, the legitimate interest of the Data Subject is not infringed.

4.6. The Controller, established, that the Regulation includes a taxative and definite enumeration of the criteria of when the controller must designate a Data Protection Officer (“DPO”). The Controller furthermore established, that during the controlling of the Controller, the criteria are not fulfilled according to the Regulation because:
a) the processing is NOT carried out by a public authority or body, except for courts acting in their judicial capacity;
b) the core activities of the controller or the processor DO NOT consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
c) the core activities of the controller or the processor do not consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Controller established that its activities, and the personal data controlled cannot be included in the reasons mentioned above.

With regard to these reasons Controller does not consider the designation of a Data Protection Officer necessary.

5. Legal base of the data controlling

5.1. Taking into account the characteristics of the Data controller’s activity, the potential legal grounds of the Controlling are the followings:

5.1.1. The explicit consent of the Data Subject based on appropriate information

(Regulation Article 6 paragraph 1 point a))
In these cases the Data Subjects voluntarily receive the services of the Controller.

5.1.2. Should the Data Subject directly contact the Data Controller and Data controlling is necessary for the fulfilment of such contract in which the Data Subject is a party or is required to take action for the request of Data Subject before the conclusion of contract
(Regulation Article 6 paragraph 1 point b))

5.1.3. Data controlling is necessary for the fulfilment of legal obligations of Data Controller
(Regulation Article 6 paragraph 1 point c))

5.1.4. The legitimate interest of Data Controller
(Regulation Article 6 paragraph 1 point f))

5.2 In case the legal basis of data control is the consent of the Data Subject the Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of the consent shall not affect the lawfulness of data control based on consent before its withdrawal.

5.3. Transfer of data to the Processors listed in the present Policy may be concluded without the explicit consent of the Data Subject. Transfer of data to third parties, in the absence of provisions of laws providing the contrary, shall only be concluded based on a final and binding decision of the authorities, or the particular preliminary consent of the Data Subject.

6. Objective of the processing

6.1. Controller shall only control personal data for the purpose which it was requested for and in order to exercise rights and discharge obligations. The data control corresponds the purpose of the control in every stage. The collection and control of data shall be concluded fairly and lawfully. Controller seeks to control only the data that is necessary and apt to achieve the purpose of the controlling. The personal data shall only be controlled to the extent and in the period of time necessary to achieve the purpose.

6.2. The purpose of the control is mainly the operation of the Website and the provision of services in connection thereto.

According to the above mentioned the purpose of the controlling is:

To identify the Data Subject and to communicate with the Data Subject;
To manage individual requests;
To prepare statistics and analysis;
To send newsletters and information materials to the Data Subjects;
To send requests to the Data Subjects with the purpose of direct marketing;
To comply with the obligations of Controller, or to exercise the rights of Controller;
The protection of rights of Data Subjects.

7. Source of the data

7.1. Controller only controls personal data provided by the Data Subjects and does not collect data from any other sources.

7.2. Personal data is provided by way of contact-making by the Controller and the Data Subject as follows:
The Data Subjects provides their name, e-mail address, address and the name of the training they are interested in upon entering into the Website;
[*];
[*]

8. The scope of the data controlled

8.1. Controller shall only control the personal data provided by the Data Subject. The controlled pieces of data are the following:

Name,
Address,
Email address
Telephone number.
8.2. Further to the above the Controller controls technical data, namely IP address as detailed by Section 11.

9. Description of the process of controlling

9.1. Controller only controls data according to the provision of data by the Data Subject. Therefore the source of the data is the Data Subject, who provides the data during the first communication. The Data Subject provides the data individually, Controller does not give any mandatory guidance, and does not have any requirements in connection with the content.

10. Control with the purpose of advertising, sending newsletters

10.1. If the Data Subject consents to it on the Website, the Controller will contact the Data Subject using the provided contact information and send him or her an advertisement, newsletter or information material directly. Advertisement may be send via mail, phone (including text messages) or e-mail. Advertising is always subject to the Data Subject’s consent. The Data Subject may withdraw his consent at any time without giving reasons.

11. Controlling of technical data and cookies

11.1. The system of Controller automatically records the IP-address of the computer of the Involved person, the start date of the visit and in certain cases, depending on the settings of the computer, the type of the web browser and the operating system. The data collected this way shall not be connected to the other personal data. The controlling of the data serves statistical purposes only.

11.2. The cookies enable the Website to recognize the previous visitors. The cookies help the Controller as the operator of the Website in optimizing the Website and in constructing the services of the Website according to the habits of the visitors. The cookies are furthermore applicable to

remember the settings, therefore the Involved person does not have to record them again if he or she enters a new page,
remember the data previously entered, therefore they do not have to be entered again,
analyze the use of the website in order to operate according to the expectations of the Involved person to the greatest extent possible, by the developments using the information collected and to facilitate the search for information by the Involved person, and
monitor the efficiency of the advertisements.

11.3. If Controller displays different contents on the Webpage using external web services, this may result in the storage of some cookies that are not supervised by Controller, therefore Controller does not have an influence on the types of data collected by these websites and external domains. Information on these cookies are provided by the regulations concerning the given service.

11.4. Controller uses cookies to display advertisements to the Involved persons via Google and Facebook. The controlling takes place without human intervention.

11.5. The Involved person may adjust his or her browser to accept or to decline all cookies or to notify the Involved person whenever a cookie arrives to the computer. These settings can usually be found under the “Options” or “Settings” of the browser. By declining the application of the cookies the Involved person takes note that without the cookies the operation of the Website is not complete.

11.6. The detailed information that can be found on www.aboutcookies.org in English also provides help regarding the cookie-related settings of the different browsers.

12. The transfer of data

12.1. Controller only transfers data to third persons if the Data Subject, being aware of the scope of data to be transferred and recipient of the transfer, gave consent, or the transfer is authorized by law.

12.2. In order for the rendering of its services the Controller in certain cases transfers Personal data of the Data Subject to one or more of its Subcontractors.

12.3. Controller has the right and is obligated to transfer all the available and lawfully stored personal data to the competent authority if Controller is bound by the law or by a final and binding decision of the authority. For these kinds of transfer of data and its consequences the controller cannot be held liable.

12.4. Controller documents the transfers in all cases, and keeps record of the transfers.

13. Processing

13.1. Controller has the right to engage another processor for carrying out its activity. The processors do not make decisions individually, and are only authorized to operate according to the provisions of the concluded contract and the instructions of Controller. Controller monitors the activities of the processors. The processors may only engage sub-processors with the consent of Controller.

13.2. Controller lists the engaged processors in the present Policy.

13.3. Processors engaged by Controller:

TRÉNER Kft. (4400 Nyíregyháza, Repülőtér 1.; Cg.15-09-061647);
[*];
[*].

14. Security and disclosure of personal data

14.1. Controller ensures the security of the personal data, implements the necessary technical and organizational measures and develops the procedural rules that are necessary for the implementation of the relevant laws and rules of protection of data and confidentiality. Controller protects the data with adequate measures against unauthorized access, alteration, transfer, public disclosure, erasure or destruction, the accidental destruction and damage, and unavailability resulting from the change of the applied technology.

14.2. Controller keeps records of the controlled data in accordance with the relevant laws, ensuring that the data can only be accessed by the employees and other persons acting on behalf of Controller (processors) for whom the access is necessary to perform their jobs and tasks. The employees of Controller may only perform individual searches or other individual operations concerning the data on the request of the Data Subject, or if is necessary for the provision of the service.

14.3. Controller takes due account of the existing technological advances when determining and applying the measures to be taken for the protection of data. Controller selects the available solution that ensures the higher level of protection of personal data unless the application of that would mean disproportionate difficulties.

14.4. Controller among the tasks relating to information technology protection ensures in particular:
The protection against unauthorized access, including the protection of software and hardware devices and the physical protection (access control, securing the network);
Measures taken to enable the restoration of data files, including the regular backups and the separate and secure handling of the copies (mirroring, backups);
The protection of the data files against viruses (anti-virus service)
Physical protection of the data files and the storage devices including the protection against fire, water, lightning, and other natural disasters and the restoration of the data damaged in those disasters (archiving, fire protection).

14.5. Employees and other persons acting on behalf of Controller must keep safe and protect the data carriers used or disposed of by them, regardless of the method of collection of the data, against unauthorized access, alteration, transfer, public disclosure, erasure or destruction, and accidental destruction and damage.

14.6. Controller operates the electronic register through a computer program that meets the data security requirements. The program ensures that the data can only be accessed in accordance with the purposes, under controlled conditions, and by persons for whom it is necessary in order to carry out their tasks.

15. The duration of data control

15.1. Controller deletes the personal data if

a) the personal data are no longer necessary in relation to the purposes for which they were provided for

b) the data subject withdraws consent on which the processing is based or requests the erasure of Personal data, and where there is no other legal ground for the processing

c) the Data subject objects to the controlling of their Personal data and there are no overriding legitimate grounds for the controlling

d) the controlling of Personal data is unlawful

The erasure may be denied (i) in order to exercise the right to the freedom of expression and the right to be informed, or (ii) if the controlling of the personal data is authorized by the law; and (iii) in order to submit, enforce or protect legal claims.

In all cases Controller informs the Data Subject about the denial of the request for erasure indicating the reason of the denial of erasure. After the satisfaction of a request for erasure the deleted data cannot be restored.

Unless the Data Subject requests otherwise, Controller controls the data until the connection between Controller and the Data Subject exists, and until Controller may provide services for the Data Subject.
Any other data will be deleted by Controller if it is obvious that the data will not be used in the future, therefore the purpose of the controlling ceased.

e) it was ordered by the court or the Hungarian National Authority for Data Protection and Freedom of Information

If the court or the Hungarian National Authority for Data Protection and Freedom of Information orders the erasure of the data in a final and binding decision, Controller performs the erasure.
In case of controlling based on the law, the provisions of the law are applicable to the erasure of the data.

In case of erasure Controller makes the data unidentifiable. If the legislation requires, Controller destructs the data carrier on which the personal data is stored.

16. Rights of the Data Subject and exercising the rights

16.1. Controller informs the Data Subject about the Controlling at the time of the collection of data. Besides that the Data Subject has the right to request information about the controlling at any time.

Upon the request of the Data Subject Controller informs the Data Subject about the Data Subject’s data controlled by Controller and by the Processors mandated by Controller, about the source of the data, the purpose, the legal grounds and period of the Controlling, the name, address and controlling related activity of the Processor, and about the circumstances and effect of the personal data breach along with the steps taken for the prevention. Furthermore in case of the transfer of the Personal data of the Data Subject Controller also provides information about legal grounds and recipient of the transfer. Controller is obliged to provide the information as soon as possible, but in any event within 1 month from the filing of the request. That period may be extended by two further months where necessary. The Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. On the request of the Data Subject the information must be provided in writing. The information is free of charge if the requester has not filed a request for information in the current year. In any other case a reimbursement may be determined. The paid reimbursement must be refunded if the data was controlled unlawfully or the request led to the correction of the data.

16.2. The Data Subject may request his incorrectly stated data to be corrected by Controller. If the data to be corrected is the basis of regular reporting, Controller informs the recipient of the reporting if necessary, and raises the attention of the Data Subject, that the correction has to be initiated with other controllers as well.

16.3. The Data Subject, except for in cases of controlling provided by the law, may request the erasure of his or her Personal data. Controller informs the Data Subject about the erasure.

16.4. The Data Subject may object to the controlling of his or her personal data according to the Privacy Act.

16.5. The Data Subject may file the request for information, correction and erasure in writing in a letter addressed to the seat of Controller, or in an e-mail sent to the e-mail address of Controller: [*].

16.6. The Data Subject may request the restriction of the Controlling of the Personal data of the Data Subject, if he or she debates the correctness of the controlled Personal data. In this case the period of the restriction is limited to the period of time that enables the Controller to inspect the correctness of the Personal data. Controller marks the piece of controlled Personal data, if the Data Subject debates its correctness or accuracy, but the incorrectness or inaccuracy of the debated Personal data cannot be ascertained undoubtedly.

The Data Subject may also request the restriction of the controlling of Data Subject’s Personal data from Controller if the controlling is unlawful, but the Data Subject objects to the erasure of the Personal data, and requests the restriction instead of the erasure.

Furthermore the Data Subject may request the restriction of the controlling of Data Subject’s Personal data from Controller if the purpose of the controlling is achieved, but it is necessary for the Data Subject that the Personal data stays controlled by Controller in order to submit, enforce or protect legal claims.

16.7. The Data Subject shall have the right to receive the Personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

16.8. If Controller does not execute the request for correction, erasure or block of the Data Subject, Controller informs Data Subject in writing in 25 days after the reception of the request about the reasons of the denial of the request for correction, block or erasure. In case of the denial of the request for correction, block or erasure, Controller informs the Data Subject about the judicial remedies and the possibility of turning to the Hungarian National Authority for Data Protection and Freedom of Information.

16.9. The Data Subject may contact the Controllers in order to make the above mentioned necessary declarations in connection with the exercise of the Data Subject’s rights to the seat of Controller, or in an e-mail sent to the e-mail address of Controller: [*].

16.10. The Data Subject may submit a complaint directly to the Hungarian National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa u. 9-11..; phone number: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu) as well. The Data Subject in case of the infringement of his or her rights has the right of access to a court according to section 23 subsection 1 of the Privacy Act. The municipal court has jurisdiction to decide the cases. The Data Subject, as per his or her own decision, may pursue an action before the court of the domicile or the place of residence. On the request of the Data Subject Data controller informs the Data Subject about the possibility and the tools of legal remedies.

17. Entering into force and modification of the Privacy Policy

17.1. The present Privacy Policy shall enter into force on [*], 2022.

17.2. Data controller reserves the right to modify the present Policy with a unilateral decision at any time.

17.3. The present Privacy Policy is concluded in English-Hungarian languages. In case of any discrepancies between the two versions the Hungarian version shall prevail.