Privacy Policy

Personal data of visitors to the website operated under the domain
www.kaprinay.com by Sparring Partner in Business Limited Liability Company

Sparring Partner In Business Ltd. (Registered office: 1061 Budapest, Paulay Ede street 26. 2. flr. 8.; Company registration number: 01-09-407054; Tax number: 32108860-2-41; Represented by: Zoltán Kaprinay, Managing Director), as data controller (“Data Controller”), processes the personal data of visitors (“Data Subjects”) of the websites operated under the domains www.kaprinay.com and sparringpartner.business (collectively: “Website”) in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (the “Infotv.”).

Contact details of the Data Controller:
Email: datacontroller@kaprinay.com
Phone: +36 70 430 1202
Postal address: 1061 Budapest, Paulay Ede street 26. 2. flr. 8.

1. Definitions

1.1. The terms used in this privacy policy shall be understood as defined in the Infotv. and the GDPR.

1.2. Data of the Data Subjects that are publicly available in connection with their business activities (name, registered office, tax number, registration number, company registration number) are not considered personal data, thus the data processing activities described in this privacy policy do not apply to these data.

 

2. Conditions Of Data Processing

The Data Controller informs the Data Subject about the scope of data processed, the source of the data, the legal basis and duration of the data processing, as well as the recipients of the personal data, the data processors, and the details of the transfer of data to third countries and profiling for each data processing purpose as follows:

2.1. Data processing purpose: Contact through the Website

The Data Controller provides the visitors of the Website with the opportunity to contact the Data Controller using the contact form available on the Website. During the contact process, the Data Subject provides their name, email address, phone number, and other personal data as specified by the Data Subject. The purpose of the data processing is to enable the Data Controller to respond to the Data Subject’s inquiries, requests, and to establish contact with the Data Subject.

Scope of data processed Source of data Legal basis for processing Duration of processing
Name, email address, phone number, and other personal data provided by the Data Subject Data Subject Consent of the data subject (GDPR Article 6 (1) a)) Until the purpose is fulfilled or consent is withdrawn

Transfer of data to third countries: does not occur
Profiling: does not occur

The Data Subject has the right to withdraw their consent for the processing of their data provided during contact at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

2.2. Data processing purpose: Newsletter subscription

The Data Controller provides visitors with the opportunity to subscribe to the newsletter. During the subscription process, the Data Subject provides their surname, first name, and email address. The purpose of the data processing is to inform the Data Subject about the services, news, and other relevant information of the Data Controller.

Scope of data processed Source of data Legal basis for processing Duration of processing
Surname, first name, email address Data Subject Consent of the data subject (GDPR Article 6 (1) a)) Until the purpose is fulfilled or consent is withdrawn

Recipients and data processors: ConvertKit (www.convertkit.com)
Transfer of data to third countries: does not occur
Profiling: does not occur

The Data Subject has the right to withdraw their consent for the newsletter subscription at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

2.3. Data processing purpose: Appointment booking via Google Calendar

The Data Controller provides the Data Subjects with the opportunity to book appointments for consultations or other meetings via Google Calendar. During the booking process, the Data Subject provides their name, email address, phone number, and other information related to the booking. The purpose of the data processing is to enable the Data Controller to organize consultations and meetings and to communicate with the Data Subject regarding the appointments.

Scope of data processed Source of data Legal basis for processing Duration of processing
Name, email address, phone number, other information related to the booking Data Subject Consent of the data subject (GDPR Article 6 (1) a)) Until the purpose is fulfilled or consent is withdrawn

Recipients and data processors: Google LLC (www.google.com)
Transfer of data to third countries: does not occur
Profiling: does not occur

The Data Subject has the right to withdraw their consent for the processing of their data provided during the booking process at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

2.4. Data processing purpose: Provision of web hosting services

The Data Controller uses web hosting services from DigitalOcean, LLC for the operation of the Website. During the provision of the web hosting service, the personal data of the Data Subject (e.g., IP addresses, log files) may be processed on the provider’s servers. The purpose of the data processing is to ensure the proper functioning of the Website and to protect the security of the Data Subjects.

Scope of data processed Source of data Legal basis for processing Duration of processing
IP addresses, log files Data Subject Consent of the data subject (GDPR Article 6 (1) f)) Until the purpose is fulfilled

Recipients and data processors: DigitalOcean LLC (www.digitalocean.com)
Transfer of data to third countries: does not occur
Profiling: does not occur

The Data Controller ensures that the data protection measures of DigitalOcean, LLC comply with the GDPR requirements and guarantee the security of the Data Subject’s data.

 

3. Data Transfer To Third Countries

The Service Provider may transfer data to third countries, including the United States. In such cases, the Service Provider certifies that Google LLC (and its wholly-owned U.S. subsidiaries) complies with the EU-U.S. Data Privacy Framework (DPF). These data privacy frameworks were established by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from EEA member states. Google remains responsible for any personal information it shares with third parties for external processing on their behalf under the Onward Transfer Principle, as described in their Privacy Policy’s „Sharing your information” section. For more information about the DPF, or to view Google’s certification, please visit the DPF website. https://policies.google.com/privacy?hl=en-US

 

4. Cookies Used On The Website

When visiting the Data Controller’s website, cookies may be placed on the Data Subject’s computer. Some cookies are essential for the proper functioning of the Website, while others collect information about the use of the Website to enhance the user experience. Some cookies disappear when the browser is closed, while others remain on the computer for a longer period.

The Data Controller uses the following cookies on the Website:

4.1. Cookies necessary for session management:

Session cookies are necessary for browsing the website and using its functions, ensuring the proper functioning and security of the website.

The session cookies used by the Website are as follows:

Cookie: elementor
Duration: Never
Description: This cookie is used by the website’s WordPress theme. It allows the website owner to modify or upload content in real-time.

Cookie: cookieyes-consent
Duration: 1 year
Description: This cookie is used by CookieYes. It remembers the users’ consent preferences to respect them on subsequent visits. It does not collect or store any personal data about visitors.

4.2. Cookies for activity analysis:

Cookies that analyze user activity help the Data Controller gather information about the Data Subject’s website usage habits to improve the Website.

The Website uses the following cookies for anonymous activity analysis:

Cookie: Google Analytics functions
Duration: 2 years and 1 minute
Description: One function anonymously identifies users who have already visited our website. This cookie is valid for 2 years from the visit. Another function prevents too much data from being supplied to the anonymous statistics collecting system in a short time. This function is valid for 1 minute from the visit.

Cookie: pys_session_limit
Duration:Never
Description: This cookie is set by the PixelYourSite plugin to manage the analytical services.

Cookie: pys_start_session
Duration:Never
Description:This cookie is set by the PixelYourSite plugin to manage the analytical services.

4.3. Advertising cookies:

Advertising cookies are used to select advertisements that the visitors are interested in and enable the Data Controller to display such advertisements on third-party websites. They also help measure the performance of our campaigns based on the information gathered.

The website uses the following advertising cookies:

4.4 Other cookies

Cookie: pbid
Duration: 6 months
Description:Currently not available.

4.5. Detailed information on how to set cookie preferences in various browsers can be found at the following links:

Chrome Chrome Support
Edge Microsoft Edge Support
Safari Safari Support

 

5. The basic principles for data processing

Personal data shall be:

  1. processed lawfully, fairly and, in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  7. The controller shall be responsible for, and be able to demonstrate compliance with, the principles of data processing (‘accountability’).

 

6. Rights Of The Data Subjects

6.1. Right to transparent information and communication
The Data Controller shall take appropriate measures to provide any information and any communication relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

6.2. Right to information and access to personal data
At the time when personal data are obtained, the Data Controller shall provide the data subject with all of the following information:

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the recipients or categories of recipients of the personal data, if any;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • the right to lodge a complaint with a supervisory authority;
  • where the processing is based on point (a) of Article 6(1), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

 

6.3. Right of access by the data subject
The data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and the following information.

6.4. Right to rectification
The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

6.5. Right to erasure, right to be forgotten
The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services.
  • The Data Controller may refuse to erase the data if processing is necessary:
  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise, or defense of legal claims.

 

6.6. Right to restriction of processing
The data subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
  • the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.

 

6.7. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  • the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

6.8. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

6.9. Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

 

7. Data Protection Incidents, Legal Remedies

 

7.1. In the event of an incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed (data protection incident), the Data Controller undertakes to report it without delay and, if possible, not later than 72 hours after becoming aware of the data protection incident, to the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11.; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu) as the competent supervisory authority. The reporting obligation is exempted if the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons.

7.2. If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the data protection incident to the data subject without undue delay, providing clear and understandable information about the nature of the data protection incident.

7.3. The Data Controller informs the Data Subject that in case of a violation of their data protection rights, they may file a complaint with the NAIH or seek legal remedy through a court. The Data Subject is also entitled to initiate proceedings before the competent court based on their place of residence or domicile.

7.4. If the Data Controller unlawfully processes the Data Subject’s data or breaches data security requirements, causing damage to another person, the Data Controller is liable to compensate for the damage. If such conduct violates the Data Subject’s personality rights, the Data Subject may claim damages. The Data Controller is exempt from liability for the damage and from the obligation to pay compensation if it proves that the damage or violation of the Data Subject’s personality rights was caused by an unavoidable external cause beyond the scope of data processing.

7.5. The Data Subject may seek legal remedy with the following authority: National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11.; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu).

7.6. In case of a violation of the Data Subject’s rights, they are entitled to seek legal remedy through the courts.

 

8. Disclaimer Of Liability

 

8.1. The Data Controller undertakes to verify the accuracy of the data provided by the Data Subject during contact with the Data Controller to keep the data up-to-date, but not more frequently than once every 3 (three) years. In this context, the Data Controller may contact the Data Subjects for data reconciliation purposes. The Data Controller draws the Data Subject’s attention to the fact that the Data Subject is solely responsible for the accuracy, authenticity, and correctness of the personal data provided by them. If the Data Subject provides false or inaccurate data to the Data Controller, they are solely responsible for any damage resulting therefrom.

8.2. The Data Controller also excludes liability for personal data voluntarily provided by the Data Subject without request. Data Subjects must ensure that they have the consent of third parties and the authorization to process and transfer their personal data.

 

9. Data Security

 

9.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Budapest, 31 May 2024
Sparring Partner in Business Ltd.