DATA MANAGEMENT INFORMATION

Helen Doron Language School Debrecen

Well Done Limited Liability Company

Cg. 09-09-017759

Tax number: 14946369-2-09

registered office: 4028 Debrecen, Hadházi út 19.

hereinafter referred to as the company, (service provider, data controller), as data controller, acknowledges the contents of this legal notice as binding upon it.

The purpose of this notice is to set out the data protection and data management principles and the data protection and data management policy of the Company. The Helen Doron Language School (Well Done Kft. , tax number: 14946369-2-09, Company Registration Number: 09-09-017759, as Data Controller, acts on the basis of this Privacy and Data Protection Policy and Information Notice (hereinafter referred to as "Privacy and Data Protection Policy and Information Notice") in all processing of data of natural persons ("Customer") in connection with the services it provides as a Language School (teaching, camping, organisation, events) and the websites it operates (hereinafter referred to as "Websites").

The company undertakes to ensure that all data processing in relation to its activities complies with the requirements set out in this notice and in the legislation in force.

It is the policy of Helen Doron English Debrecen (hereinafter referred to as HDED) that all personal data collected at the time of enrolment, application, event registration and from the websites is strictly confidential. Personal information includes a person's full name, child's name, age, telephone number, home address and e-mail address. Because the safety of our visitors is important to us, HDED has adopted the following privacy policy to protect your personal information:

By enrolling in our Language School, attending our camps or registering for classes, or visiting our websites, you as a user agree to HDED's privacy policy regarding the collection, use and disclosure of personal information as described below. HDED does not collect, unlawfully use or disclose personal information about its customers or users for any purpose other than the following without the users' consent.

I. Concepts

data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;

customer: a natural person who, on the basis of his/her voluntary consent, makes use of the services of the company;

personal data: data which can be associated with the Customer, in particular the Customer's name, identification mark and one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and the inference that can be drawn therefrom concerning the Customer;

Consent: a voluntary and explicit expression of the Customer's wishes, based on adequate information, by which he gives his unambiguous consent to the processing of personal data concerning him, whether in full or in relation to specific operations;

data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or has the data processed by a processor;

'processing' means any operation or set of operations which is performed upon data, regardless of the procedure used, such as collection, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction, prevention of further use, taking of photographs, sound recordings or images, or any other physical means of identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

transfer: making data available to a specified third party;

disclosure: making the data available to any person;

erasure: rendering data unrecognisable in such a way that it is no longer possible to retrieve it;

data destruction: the complete physical destruction of the data medium containing the data;

third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.

data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

'processor' means a natural or legal person or an unincorporated body which carries out the processing of data on the basis of a contract, including a contract concluded pursuant to a legal provision.

II. Scope of personal data

The Company's data processing is carried out in accordance with the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.), and the rules set out in the Companies Act.

II/1. The information we collect:

II.1.1.Personal data: personal data, such as the user's name, telephone number, e-mail address, are collected only on the basis of the data voluntarily provided on the data request form on the HDED website or on the basis of an e-mail sent directly to HDED. Any personal data collected in this way can only be processed by an HDED employee or HDED department at the user's request, for the purpose of answering the user's questions. Such personal data will not be sold or disclosed to third parties or used for e-mail lists.

II.1.2. Cookies. The information collected by cookies is used solely for contact and tracking of site visit data. We do not sell or disclose this information to third parties.

II.1.3. Website activity data: our web server automatically collects and logs certain information for each user who visits the website. The information logged includes the user's IP address, username (if any), time and date of visit, and a list of pages accessed. The logs also include link information if the user visited an external link through the HDED website. HDED keeps logs of tomorrow's visits solely for the purposes of monitoring website performance, security and tomorrow's administration. The data is not sold or disclosed to third parties.

This website contains links to third party websites and/or content providers. This privacy policy does not cover third party websites and content providers, and HDED is not responsible for the content linked and provided.

II.1.4 Any changes to the privacy policy will be posted immediately on the website. Any such changes shall not be retroactive and shall not apply to any personal data previously submitted.

II.1.5... By registering on the websites and by using the website, the Customer accepts the provisions of this GTC. The purpose of this Policy is to define the scope of personal data processed by the Data Controller, the method of data processing and to ensure compliance with the constitutional principles of data protection and data processing, data security requirements, in order to respect the privacy of the natural persons of the User in the automated processing and processing of personal data of the data subjects.

II./2. The Data Controller

Organization name: Helen Doron Nyelviskola (Well Done Ltd., registered office: 4028 Debrecen, Hadházi út 19, tax number: 14946369-2-09, company registration number: 09-09-017759. Email: helendoron@angoldebrecen.hu Data Protection Registration Decision No. § The Authority does not keep a data protection register pursuant to Section (3)(a) of Article CXII of the Act of 2011 on Data Protection of the European Parliament and of the Council of 24 July 2011 on the protection of personal data of persons having an employment relationship, a membership relationship, a relationship with a person in a pre-school education, a pupil or student contract, a membership relationship in a college or a customer relationship with a data controller, with the exception of customers of financial institutions, public utility providers, electronic communications service providers.

II/3.. Natural and legal persons entitled to access the data, the data processor:

The data may be accessed only by the management of the Data Controller or by persons specifically authorised by the management.

II/ 4. Scope of personal data processed

The present DATA PROTECTION AND DATA MANAGEMENT POLICY AND INFORMATION only covers the processing of data of natural persons, given that personal data can only be understood in relation to natural persons. The Websites also provide content accessible to any Internet user without registration. However, certain content services and newsletter functions are only accessible to registered users. A registered user is anyone who is authorised to do so by the Data Controller in accordance with its internal rules. The registration process is free of charge.

II.4.1. During registration, the Customer must provide the following personal data: - Customer's name, - E-mail address, - Telephone number - Child's name - Child's age.

II.4.2. The website's database stores the Customer's data in order to perform the free services provided by registration, the data controller is not authorized to pass them on for advertising use or for any other purpose - in the absence of the Customer's express consent.

II.4.3 During visits to the Website, one or more cookies - small packets of information sent by the server to the browser and returned by the browser to the server for each request directed to the server - are sent to the Client's computer, through which its browser(s) will be uniquely identified. These cookies are used solely to improve the user experience, automate the login process and measure the effectiveness of our advertising activities.

II.4.4. The Customer has the right to disable data processing at any time.

III. THE PURPOSES, LEGAL BASIS, DURATION AND SCOPE OF THE PERSONAL DATA PROCESSED

3.1 Data processed on the basis of consent

3.1.1.1 Marketing enquiries (contacting us, news, information, invitations, satisfaction surveys, quizzes, competitions)

3.1.1.1 Purpose of data processing:

The purpose of the processing is to contact Customers, to provide information on the description of the services offered by HDED, prices, actions, promotions, as well as on the events, commercial or professional forums organized by HDED, to send requests or invitations by electronic mail to the contact details indicated in the consent form. Furthermore, to submit questions for the purpose of conducting satisfaction surveys to be carried out by HDED.

3.1.1.2 Legal basis for processing: the legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR

3.1.1.3 Scope of personal data processed:

Email address of parent or legal guardian.

The data subject is responsible for the accuracy of the data provided, which does not infringe the privacy rights of third parties.

3.1.1.4 Duration of processing:

Until the withdrawal of the data subject's consent, but for a maximum of 5 years.

3.1.2 CREATION AND MANAGEMENT OF USER ACCOUNT/ORGANISATION

3.1.2.1 Purpose of processing: the Controller may, at the request of the data subject, create and manage the user organisation in order to see which groups your child is attending, enrol him/her in camps, monitor his/her progress in learning.

3.1.2.2 Legal basis for processing: the legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR

3.1.2.3 Scope of personal data processed:

child's name
child's date of birth
Child's e-mail address
address, postal address,
telephone number,
name of parent or legal guardian
telephone number of parent or legal guardian,
email address of parent or legal guardian.
payment method
payment frequency

The data subject is responsible for the accuracy of the data provided, which does not infringe the privacy rights of third parties.

3.1.2.4 Duration of data processing:

Until the withdrawal of the data subject's consent, but for a maximum of 5 years.

3.1.3 TRAINING, TRIPS ABROAD

3.1.3.3.1 Purpose of data processing: the purpose of data processing is the organisation of trips and training courses organised by HDED (insurance, accommodation, airline ticket booking, registration)

3.1.3.2 Legal basis for processing: the legal basis for processing is the consent of the data subject [Article 6(1)(a) GDPR].

3.1.3.3 Scope of personal data processed:

Name of the child.
Date of birth of the child
E-mail address of the child
address, postal address,
telephone number,
name of parent or legal guardian
telephone number of parent or legal guardian,
email address of parent or legal guardian.
child's passport number

The data subject is responsible for the accuracy of the data provided, which does not infringe the privacy rights of third parties.

3.1.3.4 Duration of processing:

Until the withdrawal of the data subject's consent, but for a maximum of 5 years.

3.1.4 HDED Camp.

3.1.4.4.1 Purpose of processing:

The purpose of the processing is to keep in contact with the customer, by sending electronic mail to the contact details indicated on the registration form, descriptions of the services provided by HDED, prices, special offers, promotions and camps organized by HDED. In addition, that the information and promotional activities to be carried out by HDED to submit questions for the purpose of conducting satisfaction surveys by HDED.

3.1.4.2 Legal basis for processing: the legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR

3.1.4.3 Scope of personal data processed:

Name of the child.
Date of birth of the child
E-mail address of the child
address, postal address,
telephone number,
name of parent or legal guardian
telephone number of parent or legal guardian,
email address of parent or legal guardian.
payment method
payment frequency
special meal request

The data subject is responsible for the accuracy of the information provided, which does not infringe the privacy rights of third parties.

3.1.4.4 Duration of data processing:

Until the withdrawal of the data subject's consent, but for a maximum of 5 years.

3.1.5. Adult education

3.1.5.1 Purpose of data processing:

The purpose of the processing is the provision of English language education to parents of children studying at HDED.

3.1.5.2 Legal basis for processing.

3.1.5.3 Scope of personal data processed:

Name, address, e-mail address, telephone number, education level, employment status, payment method, payment frequency of the adult participating in the training

The data subject is responsible for the authenticity of the data provided, which does not infringe the personal rights of third parties.

3.1.1.4 Duration of data processing:

Until the withdrawal of the data subject's consent, but for a maximum of 5 years.

3.2 Processing of data necessary for the performance of the contract (SUPPLIER'S INFORMATION SHEET)

3.2.1 Processing of data of external persons brought to the attention of the Data Controller in connection with the preparation and performance of contracts, and to inform the data subjects about the services of the Data Controller, current promotions, current house rules, school events (carnival, Halloween Party, camps, handover ceremony, other programmes)

3.1.4.2 Legal basis for processing. The legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR

3.2.3 Scope of personal data processed:

Client's address, postal address,
Name of the principal
telephone number of the principal,
e-mail address of the principal.

The data subject shall be responsible for the accuracy of the data provided, which shall not infringe the privacy rights of third parties.

3.2.4. Duration of data processing:

Until the withdrawal of the data subject's consent, but for a maximum of 5 years.

3.3.Data processed pursuant to legal requirements

3.3.1 Processing of data carried out in the context of the performance of adult education contracts concluded in the course of the economic activity of the controller or pursuant to statutory provisions (e.g. the Accounting Act).

3.3.2 Legal basis for processing: the legal basis for processing is the legal obligation [Article 6(1)(c) GDPR

3.3.3 Scope of personal data processed:

Name of the child
Date of birth of the child
E-mail address of the child
address, postal address,
name of the child's school, kindergarten
name of parent or legal guardian
telephone number of parent or legal guardian
email address of parent or legal guardian.

The data subject shall be responsible for the accuracy of the data provided, which shall not infringe the privacy rights of third parties.

3.3.4. Duration of data processing:

Until the withdrawal of the data subject's consent, but for a maximum of 5 years.

3.4. Data processed on the basis of legitimate interest

3.4.1 Processing of personal data of the child and parent based on participation in tutorials. Identification of the data subject when entering the headquarters or premises to participate in tutorials, protection of human life, limb, health, personal freedom and property, i.e. protection of the assets of the controller and of the participants in the tutorials.

3.4.2 Legal basis for processing: the legal basis for processing is legitimate interest [Article 6(1)(f) GDPR

3.4.3 Scope of personal data processed:

Name of the child.
Date of birth of the child
E-mail address of the child
address, postal address,
name of parent or legal guardian
telephone number of parent or legal guardian,
email address of parent or legal guardian.

The data subject shall be responsible for the accuracy of the data provided, which shall not infringe the privacy rights of third parties.

3.4.4 Duration of data processing:

Until the withdrawal of the data subject's consent, but for a maximum period of 6 months.

3.5 Legal basis for processing:

According to Article 6(1)(b) of the Regulation, processing is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into the contract; however, for data processed pursuant to statutory provisions, Article 6(1)(c) GDPR applies to 3.3 and for data processed on the basis of legitimate interest, Article 6(1)(f) GDPR applies to 3.4 of these Regulations.
The legal basis for processing is generally the voluntary consent of the Customer. Consent is given by the Customer by expressly accepting the processing of the data referred to above, after having read and understood this Privacy Policy, by ticking the relevant box, or by using the Website, by registering, by voluntarily providing the data in question.

By ticking the checkbox of the declaration, the Customer gives his/her explicit and voluntary consent to the Data Controller sending news and information about the Website and its services to the e-mail address provided by the Customer during registration.

The purpose of data processing is to provide information on the provision of services related to education, in particular English language teaching, and other information related to this and the operation of the Data Controller. The Service Provider shall store the data provided by the Customer for a specific purpose. By registering on the website, the Customer gives his/her consent to the use of his/her personal data for the following purposes: - newsletter service - content provision - information provision.

The use of the electronic mail addresses (e-mail addresses) provided during registration by the data controller is as follows: the e-mail addresses are used to identify the customer, for contact purposes when using the services, or to send a newsletter to the customer. The data controller sends information on the services it provides to the customer in electronic form, by e-mail.

The Data Controller sends newsletters containing information about the contents of the Website and the organisation of classes to the e-mail address provided by the client during registration, with the express consent of the client. The Data Controller sends newsletters only to those of its customers who have given their express consent to receive them in the dedicated menu.

The Customer may unsubscribe from the newsletter service at any time, free of charge and without giving any reason. The unsubscription can be done in a single step by clicking on the link in the newsletter or by sending an e-mail to the Data Controller. In this case, the Data Controller will immediately delete the Customer's data from its records.

The purpose of the use of the telephone number provided by the Customer by the Data Controller is as follows: for contact purposes during the process.

The Customer's data is processed exclusively by means of computer processing. The purpose of the data that are automatically recorded is to compile statistics, to improve the technical development of the IT system and to protect the rights of users. The data that are automatically recorded (log files) are the following: the dynamic IP address of the client's computer, the type of operating system and browser used by the client's computer, depending on the settings of the client's computer, the client's activity on the Website. On the one hand, these data are used for technical purposes - e.g. secure operation of servers, post-checking, on the other hand, the Data Controller uses these data to compile statistics on the use of the site, to analyse user needs in order to improve the quality of services. The above data cannot be used to identify the customer and will not be linked to other personal data by the Service Provider.

In order to obtain independent visitor data and other web analytics data, the Data Controller uses Google Analytics software and therefore Google Inc. Privacy Policy is available at https://google.com/intl/h_All/policies/privacy. The user of the Website acknowledges that by using the Website, he consents to the processing of his data by Google Inc.

The controller shall not use the personal data provided for purposes other than those described in these points. Unless otherwise required by law, the disclosure of personal data to third parties or public authorities is only possible with the express prior consent of the user.

The Controller does not control the personal data provided to it. The person providing the data is solely responsible for the correctness of the data provided. Any Customer who provides an e-mail address is also responsible for the fact that he/she is the only one to receive services from the e-mail address provided. With regard to this responsibility, any liability for access to an e-mail address shall be borne solely by the user who registered the e-mail address.

IV. Duration of processing

IV.1. The processing of the data provided during registration starts with the registration and lasts until its deletion. In the case of non-mandatory data, the processing of the data shall last from the time of the provision of the data until the deletion of the data in question. The change or deletion of data recorded during registration may be initiated by the registered Customer by unsubscribing or by e-mail.

IV.2 The above provisions are without prejudice to the fulfilment of the retention obligations laid down by law (e.g. accounting legislation).

IV.3. 6 months based on legitimate interest.

V. Persons entitled to access the data

V.1. The data may be accessed primarily by the Data Controller or its internal staff, but will not be disclosed or transferred to third parties, except on the basis of a marketing contract, solely for the purposes of carrying out marketing activities for its own purposes.

V.2. The Data Controller may use a data processor (e.g. system operator, accountant) for the operation of the underlying IT system, the fulfilment of orders and the settlement of accounts. The Data Controller is not responsible for the data processing practices of such external parties.

V.3. In addition to the above, the transfer of personal data relating to the Customer may only take place in cases provided for by law or with the Customer's consent.

Contact

The Client is required to provide the data necessary for the establishment of the legal relationship, for the performance of the service (adult education) contract, on the official website of HDED at the time of registration. Registration is the first contact with the data controller, which is voluntary. At the time of registration, an e-mail address and password must be provided. The name, telephone number, contact details, billing address and capacity of representative of the parent or legal representative must be provided. You must agree to the privacy policy, payment method. After logging in, you must provide your child's personal information, place and date of birth. When a parent logs in, he/she will be required to enter the child(ren) details. This includes information required under the Adult Education Act, the child's name, email address ( if any), home address, mother's name, daycare or school name. You can register your child for extra lessons or camps on the website. Here you can see the child's timetable and his/her progress records.

Technical data

The data that is technically recorded in the course of the operation of the company is recorded on the company's computer, and in some cases on its laptop. In addition, the data are recorded in the company management system, www. angoldebrecen.hu and HDC. Only the company has access to the data. The computer is virus protected and has a client ID and password. The company informs the contracting partner that the printed documents containing personal data will be stored in the company's locker, to which only the company has access.

HDED transfers personal data to the following companies:

by law or on the basis of a statutory authorisation: the NAV, the appointed accountant, the FARNIVE adult education system.
For the performance of a service contract necessary for its operation: Gyerekangol Kft, Helen Doron Education Group (LTD), TG WEB Kft (IT contractor)
External service providers to whom the data will be transferred on the basis of voluntary consent: Nagyerdei Kultúrpark Kft.

VI. Legal remedies

The Client may request information on the processing of his/her personal data and may request the rectification, erasure or blocking of his/her personal data, except for mandatory data processing, as indicated at the time of collection. The Customer may contact the Data Controller via the contact details above with any questions or comments regarding the processing of his/her personal data. E-mail: helendoron@angoldebrecen.hu

Right to information

Upon the Customer's request, the Company, as data controller, shall provide information on the data processed by it or by a processor it has appointed, on the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities related to the processing, and, in the case of data transfer, the legal basis and the recipient of the data. The controller shall provide the information in writing, in an intelligible form, within the shortest possible time from the date of the request, but not later than 30 days from the date of the request, at the request of the Customer. This information shall be provided free of charge if the data subject has not yet submitted a request for information to the controller in the current year for the same set of data. In other cases, the Company shall charge a fee.

Right of rectification

The company shall rectify personal data if they are inaccurate and if it has at its disposal accurate personal data.

Right to erasure

The company shall erase personal data if its processing is unlawful, the customer requests it, the processed data is incomplete or inaccurate - and this situation cannot be lawfully remedied - provided that erasure is not excluded by law, the purpose of the processing has ceased to exist, or the statutory period for storing the data has expired, or the court or the National Authority for Data Protection and Freedom of Information has ordered it.

Right to restriction of processing

(1) The data subject shall have the right to obtain, at his or her request, restriction of processing by the controller if one of the following conditions is met:

(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;

(c) the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or

(d) the data subject has objected to the processing pursuant to Article 21(1); in this case, the restriction shall apply for the period until it is determined whether the controller's legitimate grounds prevail over the data subject's legitimate grounds.

(2) Where processing is subject to restriction pursuant to paragraph 1, such personal data shall, except for storage, be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

(3) The controller shall inform the data subject at whose request the processing has been restricted pursuant to paragraph 1 in advance of the lifting of the restriction.

Procedural rules

The controller has 30 days to delete, block or rectify personal data. If the controller does not comply with the customer's request for rectification, blocking or erasure, it shall provide the reasons for the refusal in writing within 30 days.

The Company shall notify the rectification, blocking, flagging and erasure to the Customer and to all those to whom it has previously transferred the data for processing. It shall refrain from such notification if this does not harm the legitimate interests of the Customer with regard to the purpose of the processing.

A complaint may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information, 1125 Budapest, Szilágyi Erzsébet fasor 22/C., Postal address: 1530 Budapest, Pf.: 5., Phone: 06.1.391.1400, Fax: 06.1.391.1410, E-mail: ugyfelszolgalat@naih.hu, Website: http://www.naih.hu

VII. Other provisions

VII.1. The Service Provider's system may collect data on the activity of users, which cannot be linked to other data provided by users at the time of registration, nor to data generated by the use of other websites or services.

VII.2. In all cases where the Service Provider intends to use the data provided for purposes other than those for which they were originally collected, the Service Provider shall inform the user thereof and obtain his/her prior express consent or provide him/her with the opportunity to prohibit such use.

VII.3. The Service Provider undertakes to ensure the security of the data, to take technical measures to ensure that the data recorded, stored or processed are protected and to take all necessary measures to prevent their destruction, unauthorised use or unauthorised alteration.

It also undertakes to require any third party to whom it may transfer or disclose the data to comply with its obligations in this respect.

VII.4. Once the paper data have been tabulated, they are destroyed. Within 30 days for promotional registrations and after 2 years for school year enrolment documents. Recorded spreadsheets of data are only accessible to designated staff of the Data Controller and their contents are password protected. Paper documents are stored by the Data Controller in a locked filing cabinet until destruction.

VII.5. After the entry into force of the amendment, the Customer accepts the amended Rules by using the Service. The Data Controller acknowledges the contents of this DATA PROTECTION AND DATA MANAGEMENT POLICY AND INFORMATION and undertakes to ensure that its data processing in relation to the Service complies with the provisions of this DATA PROTECTION AND DATA MANAGEMENT POLICY AND INFORMATION.

Effective from 1 March 2023.

Helen Doron Language School Debrecen

(Well Done Kft.)