Privacy Policy - Dr. Mayer Tamara

DATA CONTROLLER/SERVICE PROVIDER

Name: Dr. Tamara Mayer

Address: 2800 Tatabánya, Győri út 8, Ground Floor, Unit 1

Email address: ugyved@drmayertamara.hu

Phone number: +36 20 521 0525

WEB HOSTING PROVIDER

Name: WebOrigo Magyarország Zrt.

Mailing address: 2161 Csomád, Szent István utca 48.

Email address: info@weborigo.eu

INTRODUCTION

Dr. Tamara Mayer, attorney-at-law (hereinafter: Data Controller or Service Provider), considers the protection and confidential handling of personal data to be of the utmost importance. The Data Controller acknowledges the content of this legal notice as binding upon itself. It undertakes to ensure that its data processing related to its services complies with the requirements set forth in this policy and in applicable laws. It will take all necessary security, technical, and organizational measures to guarantee the security of the data.

The Data Controller shall not disclose data that has come to its knowledge to any third party under any circumstances, except in the cases specified by law, with the exception of data transfers indicated in this Privacy Notice.

During the validity period of this document, the Data Controller collects and stores data exclusively for its own purposes. If the User decides—based on the data provided—that the Data Controller should not contact them in the future, the Data Controller will act in accordance with the User’s decision.

The Data Controller reserves the right to amend this privacy policy at any time, provided that data subjects are notified in a timely manner.

By beginning to use the Website, visitors to the Website (hereinafter: User) accept all terms and conditions set forth in this Privacy Policy (hereinafter: Policy); therefore, please read this Policy carefully before using the Website.

TERMS

What is data processing?

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Who is the data controller?

The entity that determines the purposes and means of processing personal data, either independently or jointly with others. For the purposes of this Notice, the Service Provider identified in this Notice is considered the data controller.

Who is the data subject?

Any natural person who is identified or can be identified, directly or indirectly, on the basis of specific personal data.

What is personal data?

Any information relating to an identified or identifiable natural person (“data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Who is the data processor?

A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the Service Provider as the data controller.

Which authority supervises the data processing carried out by the Service Provider?

The National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa Street 9-11).

DATA COLLECTION

When the data subject visits the website or contacts the Data Controller, the Data Controller may request information from the data subject, including their name, email address, phone number, and IP address. This information is hereinafter collectively referred to as “Personal Data” in this notice.

When contacting us, the provision of Personal Data to the Data Controller is voluntary, meaning it is not mandatory; data processing is based on consent. However, if the data subject does not provide certain information to the Data Controller, it is possible that the Data Controller will not be able to achieve the purposes set forth in this notice or provide the services.

DATA PROCESSING

The Data Controller’s data processing activities are based on voluntary consent. In certain cases, however, the processing, storage, and transfer of certain categories of data are required by law.

We draw the attention of those providing data to the Data Controller that if they are not providing their own personal data, it is the data provider’s responsibility to obtain the data subject’s consent.

SCOPE OF PROCESSED DATA:
Traffic measurement
During appointment booking:
Last name
First name
Email address
Phone number
Marketing functions
The data provided by the User is not public and will not be displayed.

DATA RETENTION

The Data Controller will retain Personal Data for as long as necessary to fulfill the purposes set forth in this notice, or until the data subject withdraws their consent to the processing of their Personal Data.

TRANSFER OF PERSONAL DATA

Within the Data Controller’s organization, access to Personal Data is restricted to those who expressly need it to achieve the purposes set forth in this notice, including internal audit functions.

The Data Controller does not sell, market, make available, or use in any form the Personal Data provided by the data subject to third parties, unless the data subject has given their express prior consent.

The Data Controller may share Personal Data with the following third parties: professional advisors (including accountants, auditors, legal advisors, and other similar professional advisors), authorities, and government agencies (authorities with jurisdiction over the Data Controller, such as regulatory authorities, other authorities, government agencies, and courts).

PURPOSE AND LEGAL BASIS OF DATA PROCESSING

For what purposes does the Service Provider process data?

to identify the data subject;
to identify the data subject’s rights;
to maintain contact with the data subject;
to respond to specific inquiries from the data subject and to manage and handle such inquiries;
to protect the data subject’s rights;
preparing statistics and analyses;
conducting the Service Provider’s business activities;
enforcing the Service Provider’s legitimate interests.
What does “conducting the Service Provider’s business activities” mean as a data processing purpose?

Data processing purposes falling under this category include, in particular, inquiries sent to the Service Provider, responses to such inquiries, information provided, and the documentation of service orders. The Service Provider also uses the personal data provided for the purpose of performing its internal tasks and functions.

Can the Service Provider use personal data for other purposes?

The Service Provider may use the data subject’s personal data for other purposes; in such cases, it will provide separate notice at the time of data collection and, if necessary, request the data subject’s consent.

What is the legal basis for the Service Provider’s data processing?

The Service Provider processes personal data only if at least one of the following conditions is met in connection with the data processing:

the data subject has given consent to the processing of their personal data for one or more specific purposes;
the processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract;
the processing is necessary for compliance with a legal obligation to which the Service Provider is subject;
data processing is necessary to protect the vital interests of the data subject or another natural person;
data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Service Provider;
data processing is necessary for the purposes of the legitimate interests pursued by the Service Provider or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

What does data processing based on the data subject’s consent mean?

This means that data processing is based on a voluntary statement by the data subject, made after receiving appropriate prior information, which includes the data subject’s explicit consent for the Service Provider to use and process the personal data provided by the data subject.

Can the data subject withdraw their consent?

In the case of data processing based on consent, the data subject has the right to withdraw their consent at any time; however, this does not affect the lawfulness of the data processing prior to the withdrawal.

What does data processing necessary for the performance of a contract mean?

If the data subject enters into a contract with the Service Provider, the Service Provider is entitled to process the personal data of the data subject entering into the contract for the purpose of concluding and performing the resulting contract.

What does it mean that data processing is necessary for compliance with a legal obligation to which the Service Provider is subject?

It means that the Service Provider processes data in order to fulfill its obligations as set forth in the law.

What does data processing necessary for the legitimate interests of the Service Provider or a third party mean?

The Service Provider has conducted, and will continue to conduct a balancing test to determine whether the legitimate interest of the Service Provider or a third party in processing the data outweighs the data subject’s interests or fundamental rights and freedoms that require the protection of personal data.

PRINCIPLES OF DATA PROCESSING

What principles does the Service Provider apply when processing data?

The Service Provider

processes personal data lawfully, fairly, and in a manner that is transparent to the data subject (lawfulness, fairness, and transparency);
the Service Provider collects personal data only for specified, explicit, and legitimate purposes, and in a manner that does not process such data in a way incompatible with those purposes (purpose limitation);
the data must be adequate, relevant, and limited to what is necessary in relation to the purposes of the processing (data minimization);
be accurate and, where necessary, kept up to date; in this regard, the Service Provider must take all reasonable measures to ensure that personal data that is inaccurate in relation to the purposes of the processing is erased or rectified without delay (accuracy);
the Service Provider shall ensure that personal data is stored in a form that allows for the identification of data subjects only for as long as is necessary to achieve the purposes of the processing (storage limitation);
the Service Provider processes personal data in such a manner that appropriate technical or organizational measures are implemented to ensure the security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage (integrity and confidentiality);

The Service Provider assumes responsibility for compliance with the principles set forth in sections 1 through 6 and is able to demonstrate such compliance (accountability).

May the Service Provider deviate from the original purpose of data processing?

If the Service Provider intends to use personal data for a purpose other than the original purpose of data collection, it is required to inform the data subject of this and obtain their prior, explicit consent, while also allowing them to prohibit such use for a different purpose.

Does the Service Provider verify the accuracy of personal data?

The Service Provider verifies the personal data provided by the data subject only in cases prescribed by law. The data subject is responsible for the correctness, accuracy, and appropriateness of the personal data provided by them.

Does the Service Provider transfer personal data to third parties?

The Service Provider does not transfer personal data to third parties, with the exceptions referred to in this Notice. If the Service Provider decides to engage a data processor, the Service Provider will transfer personal data to the data processor.

The Service Provider transfers personal data to third parties that do not qualify as data processors in the following exceptional cases

official requests from courts or law enforcement agencies;
the use of personal data in an aggregated statistical form, which may not contain any other data capable of identifying the data subject in any form, and thus the disclosure of such data does not constitute data processing or data transfer.

Who does the Service Provider notify regarding the rectification, restriction, or erasure of personal data?

The Service Provider notifies the data subject, as well as all persons to whom the personal data was previously transferred, regarding the rectification, restriction, or erasure of the personal data it processes. This notification may be omitted if, in view of the purpose of the data processing, it does not infringe upon the data subject’s legitimate interests.

Does the Service Provider have a data protection officer?

In view of the provisions of the GDPR, the Service Provider does not have a data protection officer.

USE OF COOKIES

The Data Controller uses a standard technology known in technical terms as a “cookie” to collect information about how users interact with the Website.

The use of cookies and web server log files allows the Data Controller to monitor traffic to its individual web pages, tailor their content to the personal needs of data subjects, and display targeted advertisements on websites operated by third parties.

A cookie is a file that often carries a unique name, type, and content associated with a specific website. When a user visits a website, the website requests permission from the user’s computer to store this file on a specific part of the user’s hard drive designated for storing cookies. Every website you visit can send a cookie to your computer, provided that the settings of the browser used by the user allow it.

However, to protect the data of data subjects, the data subject’s browser only allows the specific website to access the cookie that the website sent to their computer; in other words, a website cannot unilaterally access cookies sent by other websites.

Browsers are generally set to accept cookies. However, if the data subject does not wish to accept cookies, they can configure their browser to reject cookies or to reject certain cookies. In this case, it is possible that some elements of the website will not function properly when the data subject browses it. Cookies cannot retrieve other information from your computer’s hard drive and do not carry viruses.

Based on the above, the Data Controller uses the following cookies:

Google Analytics: purpose of data processing—traffic measurement
Google Ads tag: personalized ads
Facebook Pixel: purpose of data processing—traffic measurement, personalized ads

SAFETY

The Data Controller implements security measures to prevent unauthorized access to your Personal Data and to prevent unlawful processing, destruction, or damage to the data.

The Data Controller’s storage devices containing personal data are kept in physically secured locations and are not left unattended.

The Data Controller stores Personal Data (including Dr. Tamara Mayer’s mail servers) on servers located within the European Union. The virtual server is located on a physical server that is housed in a locked storage unit within the server room. Other users do not have access to the data.

RIGHTS OF DATA SUBJECTS

At the request of the data subject, the data controller shall provide information regarding the data it processes or that is processed by a processor it has commissioned, the purpose, legal basis, and duration of the data processing, as well as the name, address (registered office), and activities related to data processing of the processor, as well as information regarding who receives or has received the data and for what purpose. The data controller shall provide this information in writing and in an easily understandable form as soon as possible after the request is submitted, but no later than 30 days thereafter. This information is provided free of charge if the person requesting the information has not yet submitted a request for information regarding the same matter to the data controller in the current year.

The Data Controller shall erase personal data if its processing is unlawful, or if the data subject requests it, and in the event that the purpose of the data processing has ceased to exist.

The Data Controller shall notify the data subject of the rectification and erasure, as well as all those to whom the data was previously transferred for the purpose of data processing. Notification may be omitted if this does not infringe upon the data subject’s legitimate interests in light of the purpose of the data processing.

If the data subject’s rights are violated, he or she may bring a lawsuit against the Data Controller. The Data Controller shall compensate any third party for damages caused by the unlawful processing of the data subject’s data or by a breach of technical data protection requirements. The Data Controller shall be exempt from liability if the damage was caused by an unavoidable event outside the scope of data processing. No compensation shall be payable if the damage resulted from the intentional or grossly negligent conduct of the injured party.

DURATION OF DATA PROCESSING

The Service Provider will process personal data until any of the following conditions are met:

the personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
the data subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing;
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
the Service Provider has processed the personal data unlawfully;
the personal data must be erased in order to comply with a legal obligation under the law applicable to the Service Provider;
the statutory retention period for the personal data has expired;
the personal data is incomplete or incorrect—and this condition cannot be lawfully remedied—provided that the law does not preclude erasure;
the competent data protection authority or a court has ordered the erasure of the personal data.

The Service Provider is required to retain the record of the complaint submitted by the data subject and the related response for a period of 5 (five) years.

RIGHTS OF THE DATA SUBJECT AND THEIR EXERCISE

What rights does the data subject have regarding data processing?

The data subject has the following rights regarding data processing:

the right to be informed (Articles 13 and 14 of the GDPR);
the right of access to personal data (Article 15 of the GDPR);
the right to rectification and completion of personal data (Article 16 of the GDPR);
the right to erasure of personal data (Article 17 of the GDPR);
the right to restriction of processing (Article 18 of the GDPR);
the right to data portability (Article 20 of the GDPR);
and the right to object to the processing of personal data (Article 21 of the GDPR).

What does the right to information mean?

During the period of data processing, the data subject may request information from the Data Controller regarding the processing of their personal data.

The data subject may request information regarding the processing of their personal data at any time in writing by sending a registered letter or a letter with return receipt requested to the Data Controller’s registered office, or by sending an email to the contact information provided by the Data Controller in this Notice.

The Data Controller shall consider the request for information to be authentic and actionable if i) in the case of a letter sent by mail, the data subject can be clearly identified, and ii) in the case of an email, if the email was sent from the email address previously provided by the data subject. The Data Controller reserves the right to verify the data subject’s identity by other means prior to fulfilling the request for information.

The information provided by the Data Controller covers the details regulated by the GDPR, which specifically includes the following: the Service Provider’s details (including the name and contact information of its representative), the purpose and legal basis of data processing, the source of the data, the duration of personal data storage (or the criteria for determining it), the data subject’s rights (access to personal data, the right to request rectification, erasure, or restriction of processing, or to object to the processing of personal data, as well as the data subject’s right to data portability), the right to withdraw consent, the right to seek legal remedy (complaint, judicial remedy), the legitimate interests of the Service Provider as the data controller or of a third party (if the processing is based on this), the recipients of the personal data (if any), and the fact that the Service Provider, as the data controller, intends to transfer the personal data to a third country or an international organization (if applicable).

What does the right of access to personal data mean?

The data subject has the right to receive confirmation from the Data Controller as to whether their personal data is being processed. If such processing is taking place, the data subject has the right to access their personal data and the information detailed in the previous section.

What does the right to rectification and completion of personal data mean?

The data subject has the right to have inaccurate personal data concerning him or her rectified by the Data Controller without undue delay upon request.

The data subject has the right to request that incomplete personal data be completed—including by means of a supplementary statement—taking into account the purpose of the data processing.

If the Data Controller determines that the personal data it processes is incorrect, it shall rectify the data based on available documents or official records, or, if necessary, after consulting with the data subject.

If the data cannot be corrected, the Data Controller shall delete it. In the event that there is any obstacle to correction or deletion, the data must be permanently blocked with a note indicating the correction.

What does the right to erasure of personal data mean?

The data subject—following proper identification—has the right to request that the Data Controller erase personal data concerning him or her without undue delay. The Data Controller may refuse to comply with the data subject’s request for erasure if the processing is necessary

for the exercise of the right to freedom of expression and the right to information;
to comply with a legal obligation under the law applicable to the Service Provider that requires the processing of personal data, or to perform a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
on grounds of public interest in the area of public health;
for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as the right to erasure is likely to render such processing impossible or seriously jeopardize it;
or for the establishment, exercise, or defense of legal claims.

If the Data Controller refuses to comply with the data subject’s request for erasure, it shall in all cases inform the data subject of this, stating the reason for the refusal and providing information on the available legal remedies.

If the request for erasure is granted, the personal data must be erased in such a way that it can no longer be recovered.

In what cases is personal data blocked instead of being erased?

Personal data must be blocked instead of being erased if the data subject requests it, or if, based on the information available, it can be assumed that erasure would harm the data subject’s legitimate interests.

What does the right to restriction of processing mean?

The data subject has the right to request that the Data Controller restrict processing if

the data subject contests the accuracy of the personal data (in this case, the restriction applies for a period enabling the controller to verify the accuracy of the personal data); or
the processing is unlawful, and the data subject opposes the erasure of the data and requests the restriction of their use instead; or
the purpose of the data processing has been fulfilled, but the data subject requires the data to assert, exercise, or defend legal claims; or
the data subject has objected to the processing (In this case, the restriction applies for the period until it is determined whether the Service Provider’s legitimate grounds take precedence over the data subject’s legitimate grounds.).

What does the right to data portability mean?

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used, and machine-readable format. The data subject is also entitled to transmit this data to another data controller without hindrance from the Service Provider to whom the personal data was provided, if:

the processing is based on the data subject’s consent or on a contract to which the data subject is a party, or the processing is necessary for taking steps at the data subject’s request prior to entering into a contract; and
the processing is carried out by automated means.
The data subject’s right to data portability extends to the data subject’s right—where technically feasible—to request that the Service Provider directly transmit the personal data to another data controller.

What does the right to object to the processing of personal data mean?

The data subject has the right to object at any time to the processing of their personal data—including profiling—provided that

the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Service Provider; or
the processing is necessary for the purposes of the legitimate interests pursued by the Service Provider or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data; or
if the processing or transfer of personal data is necessary solely for compliance with a legal obligation to which the Service Provider is subject, except in cases of mandatory data processing; or
if the processing of personal data is carried out for the purposes of direct marketing, opinion polling, or scientific research; in such cases, the data subject has the right to object at any time to the processing of personal data concerning him or her for the purposes set forth in this subsection, including profiling, to the extent that it is related to direct marketing.

If the Data Controller accepts the data subject’s objection, it shall cease data processing—including further data collection and data transfer—and block the data, and shall notify all parties to whom the personal data subject to the objection was previously transferred of the objection, and the measures taken based on it to all those to whom the personal data subject to the objection was previously transferred and who are required to take action to enforce the right to object.

How does the Data Controller proceed when the data subject exercises the above rights?

The Data Controller shall inform the data subject of the measures taken in response to the request without undue delay, but no later than 1 (one) month from the receipt of the request. Depending on the complexity of the request and the number of requests received, the Data Controller may extend this deadline by up to 2 (two) months, in which case it shall notify the data subject within the original deadline, specifying the reasons for the delay. In the case of a request submitted electronically—unless the data subject requests otherwise—the Data Controller will provide the information electronically.

If the Data Controller fails to fulfill the above obligation within the deadline, the data subject may avail themselves of the remedies described in this Notice.

The Data Controller provides this information to the data subject free of charge.

RULES RELATING TO DATA SUBJECTS UNDER THE AGE OF 18

Persons under the age of 18 may provide their personal data only with the written consent of the person exercising parental authority.

This means that a person under the age of 18 is not independently authorized to provide their personal data and is required to obtain the consent of their legal representative. In the absence of such consent, the personal data of a person under the age of 18 may be processed only on a legal basis other than consent.

In the event that a person under the age of 18 does not establish personal contact with the Data Controller when providing their personal data, the data subject is obligated to ensure compliance with this provision, and the Data Controller shall not be held liable for any failure to do so. The Data Controller shall consider the provision of personal data to constitute a declaration by the data subject that the data subject is not subject to any restrictions regarding the provision of personal data.

However, the Data Controller reserves the right to verify the lawfulness of the data processing and the existence of a legal basis for such processing, including the consent of the person exercising parental authority.

The Data Controller will, of course, take all necessary measures to delete personal data of persons under the age of 18 that has been unlawfully transferred or made available to the Data Controller, and will ensure that such data is neither transferred nor processed.

REMEDIES

The Data Controller makes every effort to ensure that personal data is processed in accordance with the law. If the User feels that their right to the protection of personal data has been violated, they may seek legal remedy with the competent authorities in accordance with applicable laws.

Complaints regarding data processing may be submitted directly to the National Authority for Data Protection and Freedom of Information at the following contact information:

National Authority for Data Protection and Freedom of Information

Address: 1055 Budapest, Falk Miksa Street 9-11.

Postal Address: 1363 Budapest, P.O. Box 9.

Phone: +36 (1) 391-1400;

+36 (30) 683-5969;

+36 (30) 549-6838

Website: www.naih.hu

Email: ugyfelszolgalat@naih.hu

The data subject may also bring a claim directly before the competent court for a violation of his or her rights. Depending on the data subject’s choice, the court with jurisdiction and competence to adjudicate the data subject’s claim is the court with jurisdiction over the data subject’s place of residence or place of stay.

Upon the data subject’s request, the Data Controller shall inform the data subject of the available legal remedies and the means to pursue them.

For any questions or comments regarding the data processing carried out by the Data Controller, the Data Controller may be contacted at the following contact details:

Dr. Tamara Mayer, Attorney at Law

Mailing Address: 2800 Tatabánya, Győri út 8, Ground Floor, Unit 1

Email: ugyved@drmayertamara.hu

Effective as of October 2, 2025