E-mail: info@happyfamily.hu

Privacy Policy

Data processing information
On data processing carried out by Happy Family Media Limited Liability Company

Date of entry into force:
February 12, 2025

I. Name and contact details of the Data Controller

Name: Happy Family Media Limited Liability Company
Registered office: 1117 Budapest, Nádorliget utca 8. F. ép. 1. em. 14. ajtó
Tax number: 27062810-2-43
Company registration number: 01-09-347354
Legal representative: Kalcsó Adrienn Anna
Contact person: Kalcsó Adrienn Anna

E-mail: kalcso.adrienn@happyfamily.hu
Address of the website operated by the Data Controller: www.happyfamilymedia.hu

II. Introductory provisions, basic concepts

The Data Controller carries out its activities on the website in order to provide online and offline marketing and media campaigns and other related, additional services.
The Data Controller informs the data subjects, in relation to the activities described above and other data processing related to its operation, through this data processing information, of all facts related to the processing of personal data, in particular the identity of the data controller, the purpose of the data processing, the scope of the data processed, the legal basis for the data processing, the duration of the data processing, the use of a data processor, the scope of persons authorized to view the data, the data security measures, the rights of the data subjects and their legal enforcement options.
This information is available in 1 copy in printed form at the registered office of the Data Controller and is continuously available in electronic form on the Data Controller’s website.
The Data Controller processes the data lawfully and fairly, and in a manner that is transparent to the data subject. In order to ensure lawful, fair and transparent data processing, the Data Controller compiles a clear data processing information for the data subjects. The Data Controller implements appropriate technical and organizational measures in order to guarantee the security of the personal data of the data subjects.
The Data Controller does not use or may not use personal data for purposes other than those stated in the information. The Data Controller only processes data brought to its attention by the data subject or otherwise lawfully acquired, and does not disclose them to third parties under any circumstances – except in cases specified in the applicable laws. Personal data may only be transferred in accordance with the relevant provisions of the relevant laws and in the cases specified in this information to the extent specified therein.
The data processing carried out by the Data Controller within the framework of its activities is carried out in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) and Act CXII of 2011 on the right to information self-determination and freedom of information (hereinafter: Infotv.).
Basic concepts:
personal data: any information relating to an identified or identifiable natural person (“data subject”) (e.g. the name, place of residence of the natural person using the service)
data subject: any specific natural person identified or identifiable on the basis of personal data (the natural person using the service is concerned on the basis of this information)
data processing: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of the processing specified in this notice, the data controller is the Data Controller;
data processor: the natural or legal person, public authority, agency or any other body in a contractual relationship with the Data Controller, which processes personal data on behalf of the Data Controller;
supervisory authority: in Hungary, the National Authority for Data Protection and Freedom of Information (hereinafter: NAIH), which is responsible for ensuring the right to informational self-determination.

III. Purposes of data processing, legal bases, data subjects and categories of personal data processed
III.1. Data processing related to core activities (online and offline marketing and media campaigns and other related, additional services)

III.1.1. Purpose of data processing and categories of processed data

The Data Controller processes the following categories of personal data for the purpose of providing online and offline marketing and media campaigns and other related, additional services:
Processed personal data:
1. Name of the data subject,
2. Billing address of the data subject,
3. Telephone number of the data subject,
4. Email address of the data subject,
Categories of data subjects: All data subjects using the service.

III.1.2. Legal basis and duration of data processing:

Legal basis of data processing The legal basis for data processing for data categories 1-4 is the performance of the contract or taking steps prior to entering into a contract (Article 6 (1) (b) of the GDPR and Article 6 (1) (c) of the GDPR).
Duration of data processing: Data processing lasts until the termination of the legal relationship between the data controller and the data subject, or 5 years after the contract in the case of complaint handling and claims.

III.2. Data processing by the Data Controller related to invoicing and preservation of accounting documents
III.2.1. Purpose of data processing and categories of data processed

The Data Controller processes the following categories of personal data for the purpose of issuing and preserving accounting documents (invoices) issued for the services provided by it – based on a legal obligation:
1. Billing data (Name of the data subject, billing address)
Categories of data subjects: All data subjects using the service.

III.2.2. Legal basis and duration of data processing:

The legal basis for data processing is Article 6 (1) of the GDPR. c) point, the data processing is necessary for the data controller to fulfill the legal obligation specified in Section 169 (2) of the Accounting Act. The data controller is obliged to provide data to the National Tax and Customs Office with regard to the invoices issued, pursuant to Act CXXVII of 2007 on Value Added Tax 257/G. -a and Annex No. 10, points 1, 4 and 6.
Duration of data processing: The data retention period is determined by Section 169 (2) of the Accounting Act at least 8 years.

III.3. Processing of data provided in electronic mail sent via the e-mail address published on the Data Controller’s website
III.3.1. Purpose of data processing and categories of processed data

The Data Controller processes the following categories of personal data for the purpose of contacting and maintaining contact for the provision and use of the service:
1. Name provided by the data subject
2. Email address of the data subject
3. Telephone number
4. Subject of the contact and content of the text message provided by the data subject
Categories of data subjects: All data subjects using the service.

III.3.2. Legal basis and duration of data processing:

The legal basis for data processing is the data subject’s consent (Article 6 (1) (a) of the GDPR), the performance of a contract in the case of using the service related to the data controller’s core activity, or taking steps prior to concluding a contract (Article 6 (1) (b) of the GDPR, Act No. 13/A (1)).
The data Duration of processing: The Data Controller processes the data subject’s contact data based on consent until the consent is withdrawn.

III.4. Data processing during the processing of opinions, comments/references
III.4.1. Purpose of data processing, categories of data processed

In order to develop and promote the services, document evaluations, and distinguish visitors/customers, the Data Controller processes the following categories of personal data:
1. Username and/or name
2. Image (optional)
3. Text of the evaluation

Scope of data subjects: All data subjects who write/publish comments and opinions/contribute to the publication of references

III.4.2. Legal basis and duration of data processing

Legal basis for data processing: the data subject’s consent (GDPR Article 6 (1) (a))
Duration of data processing: Until the consent is withdrawn. Consent can be withdrawn at any time, but it does not affect the previous lawful data processing.

III.5. Processing of Cookie and IP address data on the Data Controller’s website
III.5.1. Purpose of data processing and categories of data processed

The Data Controller processes data resulting from the use of cookies (hereinafter referred to as “cookies”) in relation to the User displaying the website in their internet browser.
A cookie is data that the visited website sends to the visitor’s browser (in the form of a variable name-value pair) so that it can store it and later be loaded by the same website. Later, with every HTTP(S) request, the browser also sends this data to the server, thereby modifying the data on the user’s device.
The Data Controller uses the Google Analytics service (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States of America) to analyze website traffic. The Data Controller processes the IP address recorded during the Data Subject’s visit in an anonymized (masked) manner within the framework of the Google Analytics service, which means that – before any kind of storage or processing operation takes place – it performs the anonymization/masking of IP addresses. The anonymized data is no longer suitable for identifying the Data Subject, so this data is not considered personal data under the GDPR. The Data Controller uses the service to analyze the website traffic to organize the device category used by the Users, browser usage, and to measure the website traffic (visit time, session length, bounce rate). Google Analytics retains the data in an anonymized form for 24 months as described above. (For more information about Google’s data protection principles: https://www.google.hu/intl/hu/policies/privacy/ , for more information about Google Analytics anonymization: https://support.google.com/analytics/answer/2763052 ).
The Data Controller places the cookie (cookie or data package) specified in the table below – related to the Google Analytics service – on the Data Subject’s IT device, which, thanks to the anonymization/masking of IP addresses, is no longer suitable for identifying the Data Subject, so this data is not considered personal data under the GDPR.

Name of the cookie What data does the cookie access? Cookie lifetime Information about the function of cookies, the purpose of data processing

 

 

Name of the cookie

What data does the cookie access?

Cookie lifetime

Information about the function of cookies, the purpose of data processing

_ga

The data is collected through an anonymous identifier. They help the website owner analyze the performance of the website. They provide information on the number of users, the number of visits to each page, the time spent on the website, the duration, the device used to visit (mobile, desktop, tablet, screen size, operating system type), the geographical location of the visit at a maximum city level, and the frequency of visits (what proportion of returning or new visits there are).

2 years

The _ga cookie is used to distinguish individual users (or more precisely, individual browsers). It contains a randomly generated number as a value (e.g.: GA1.2.255322818.1517541613). It can be used to create long-term statistics on users’ visits to the website. It is included in each page request of the website.

_gat

The data is collected through an anonymous identifier. They help the website owner analyze the performance of the website. They provide information on the number of users, the number of visits to individual pages, the time spent on the website, the duration, the device used to visit (mobile, desktop, tablet, screen size, operating system type), the geographical location of the visit at a maximum city level, and the frequency of visits (what proportion of returning or new visits are there).

1 day

The _gat cookie, according to Google, is used to control request frequency – limiting data collection on high-traffic websites. It is included in every page request for the website.

_gid

 

1 day

Cookie name associated with Google Universal Analytics. Stores and updates a unique identifier for each page visited.

 

The User can delete cookies from his/her own computer or set his/her browser to prohibit the use of cookies. You can find information about cookie settings for the most popular browsers at the following links
Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
Safari: https://support.apple.com/hu-hu/HT201265

IV. Data transfer operations carried out by the Data Controller in the context of its activities

IV.1. Data transfer based on an official or court request, or procedures initiated by the Data Controller

The Data Controller shall transfer personal data on an ad hoc basis if an authority, court, other body, organization or person with public authority authority requires the transfer of data with an appropriate legal reference for the Data Controller.
The Data Controller shall also be entitled to transfer personal data on an ad hoc basis if the Data Controller is the initiator of a court, non-litigation or official procedure, and the initiation of the procedure shall be carried out exclusively in accordance with the data processing provisions of the relevant law. The Data Controller shall transfer the most necessary data sets that are absolutely necessary for the conduct of the procedure.

IV.2. Forwarding of invoice data to the National Tax and Customs Office

The data controller is obliged to provide data to the National Tax and Customs Office with regard to the invoices issued, pursuant to Act CXXVII of 2007 on Value Added Tax, No. 257/G. -a and Annex No. 10, points 1, 4 and 6. The legal basis for data processing is the fulfillment of a legal obligation pursuant to Article 6(1)(c) of the GDPR, which is defined in the law of the Member States in accordance with Act CXXVII of 2007 on Value Added Tax, No. 257/G. -a and Annex No. 10, points 1, 4 and 6.

V. Data processing by data processors in connection with the activities of the Data Controller

During its data processing activities, the Data Controller uses the following data processors on the basis of a contract. The data transfer to the data processors specified in this information can be carried out without the specific consent of the data subjects. Data processors cannot make independent decisions, they are only entitled to act in accordance with the contract concluded with the Data Controller and the instructions received.

 

Data processor details:

Description of data processing activity:

Meta Platforms Ireland Ltd.

web: www.facebook.com

GDPR: https://www.facebook.com/policy.php/

The data processor publishes videos, posts and comments and stores the data in relation to the data processing operations set out in Section III.4.

Google Analytics

web: www.googleanalytics.com

GDPR: https://analytics.google.com/analytics/web/provision/#/provision

The data processor performs web analytics for the data controller and stores related data generated during the operation of the website.

 

Meta Platforms Ireland

web: www.instagram.com

GDPR: https://www.instagram.com/policy.php/

The data processor publishes videos, posts and comments and stores the data in relation to the data processing operations set out in Section III.4.

Pinterest

Web: www.pinterest.com

GDPR: https://policy.pinterest.com/hu/privacy-policy

The data processor publishes videos, posts and comments and stores the data in relation to the data processing operations set out in Section III.4.

WordPress

web: www.wordpress.com

GDPR: https://automattic.com/privacy/

The data processor stores data generated in connection with the construction of the website.

Sybell Informatika Kft.

Web: www.sybell.hu 

GDPR: https://sybell.hu/adatvedelmi-tajekoztato/

The data processor provides hosting services to the Data Controller and stores data related to this activity.

Google Ads

Google Ireland Limited

Web: https://ads.google.com

GDPR: https://policies.google.com/privacy?hl=hu&gl=hu

The data processor provides advertising management services to the data controller, within the framework of which it stores the necessary data.

VI. Storage and security of personal data
VI.1. Handling of paper-based documents

Paper-based letters, consignments and other documents are placed in a securely locked room at the data controller’s headquarters, and only the data controller has access to them. Paper-based documents containing personal data can only be destroyed using a document shredder. The data controller is subject to a professional confidentiality obligation with regard to the data it processes.

VI.2. processing of personal data stored in an IT system

Electronically stored data may only be accessed by the Data Controller and data processors acting on the Data Controller’s instructions. During data processing, the Data Controller implements the following technical and organizational measures in order to guarantee a level of data security appropriate to the level of risk:
• ensuring the confidentiality of access by user identification and authorization management;
• only the Data Controller is authorized to log in and access the data;
• by ensuring a backup of the data, the data can be restored after a maximum of 24 hours.

VII. Rights of data subjects
VII.1. Deletion of personal data, withdrawal of consent to data processing

The Data Controller is obliged to delete the processed personal data if
a) the data subject requests it or withdraws his/her consent, unless the GDPR allows further processing of the data;
b) the purpose of the data processing has ceased;
c) the data subject objects to the processing based on the legitimate interests of the Data Controller, unless the Data Controller is able to demonstrate to the data subject in a clear and understandable manner the lawfulness of the data processing;
d) the personal data have been processed unlawfully by the Data Controller;
e) the time limit for data processing has expired.

The data subject may submit a request for the erasure of his or her personal data, or, if the Data Controller processes his or her personal data based on the data subject’s consent, may withdraw his or her consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of data processing based on consent prior to its withdrawal.

VII.2. Right to restriction of data processing

The Data Controller shall restrict the processing of personal data if
a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for the period necessary for the clarification;
b) the processing is unlawful, but the data subject opposes the erasure of his or her data and requests the restriction of use;
c) the purpose of the data processing has ceased, but the data subject requests the processing of his/her data for the exercise of his/her legal claim;
d) the data subject has objected to the data processing.

The data subject has the right to have the Data Controller restrict the data processing at his/her request if one of the above conditions applies.

VII.3. Right to rectification

The data subject has the right to have the Data Controller correct inaccurate personal data concerning him/her without undue delay at his/her request. The Data Controller is obliged to clarify and correct the data incorrectly processed by him/her without a separate request from the data subject.

VII.4. Right to object

The data subject has the right to object at any time to the processing of his/her personal data if the data processing carried out by the Data Controller is based on the legitimate interests of the Data Controller. In the event of an objection, the Data Controller may only continue to process the data subject’s data if it proves that its legitimate interests override the interests of the data subject.

VII.5. Right of access of the data subject

The data subject has the right to receive feedback from the Data Controller, upon request, as to whether his or her personal data is being processed (“right of access”). The Data Controller shall, upon request, provide specific information on the purposes of data processing, the categories of data, the recipients affected by the transfer, the duration of data processing, the exercise of data subject rights, the lodging of a complaint with the supervisory authority, and the source of the data. The Data Controller is generally obliged to provide the data subject with comprehensive and comprehensible information on the relevant circumstances related to data processing. If the data subject requests it, the Data Controller shall provide a copy of the personal data.

VII.6. Procedure for submitting and handling requests from data subjects

Data subjects may submit their requests regarding the processing of their personal data orally (in person) or in writing (in person, by e-mail, by post) to the Data Controller’s contact details.
The Data Controller shall inform the data subject without undue delay, and no later than one month from the receipt of the request, of the measures taken in response to the request and the requested information. The Data Controller shall provide the information in the manner requested by the data subject.
If the identity of the person submitting the request is in doubt, the Data Controller may request additional information necessary to confirm the identity of the data subject. The Data Controller shall send a letter requesting additional information within 5 working days of receipt of the request.
As a general rule, the Data Controller shall not charge any additional fees for information and measures related to the data subject’s rights, except in exceptional cases where the request is clearly unfounded or the data subject requests multiple copies of the data and the fulfillment of the request entails particularly significant administrative costs.

VIII. Remedies for the data subject
VIII.1. Complaint to the National Data Protection and Freedom of Information Authority

If the data subject believes that the Data Controller has not been able to resolve his/her request regarding his/her personal data in a satisfactory manner, or considers that he/she has suffered a serious infringement of his/her rights in relation to the processing of his/her personal data, or that the Data Controller does not comply with the provisions of the GDPR during data processing, he/she has the right to file a complaint with the National Data Protection and Freedom of Information Authority.
The supervisory authority to which the complaint was submitted is obliged to inform the customer about the procedural developments related to the complaint and its outcome.
Contact details of the National Authority for Data Protection and Freedom of Information:
• registered office: 1055 Budapest, Falk Miksa utca 9-11.
• postal address: 1374 Budapest, Pf. 603.
• telephone: +36 (1) 391-1400
• fax: +36 (1) 391-1410
• e-mail: ugyfelszolgalat@naih.hu
• website: www.naih.hu

VIII.2. Right to go to court

In the event of unlawful data processing experienced by the data subject, the data subject may initiate a civil lawsuit against the Data Controller. The trial falls within the jurisdiction of the court. The lawsuit may also be initiated before the court of the data subject’s place of residence, at the data subject’s choice.

IX. Legislation used

In preparing the information, we have taken into account the following legislation:
– Act CXII of 2011 – on the right to informational self-determination and freedom of information (hereinafter: Infotv.)
– Act CVIII of 2001 – on certain issues of electronic commerce services and information society services (mainly Section 13/A)
– Directive 2002/58/EC (July 12, 2002) on the processing of personal data in the electronic communications sector and the protection of privacy (“Directive on privacy in electronic communications”)
– Act XLVIII of 2008 Act – on the basic conditions and certain restrictions of economic advertising activity (in particular Section 6)
– Act C of 2003 on electronic communications (in particular Section 155)
– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL