Privacy and Data Management Policy

VEAN TATTOO PRIVACY AND DATA MANAGEMENT POLICY

1 Contents
1.1

General Provisions

1.2

Scope of the Terms of Service

1.3

Uniform Rules on Deposits and Appointment Bookings

1.4

Rules Regarding Consent Form Prior to Tattooing

1.5

Use of Images of Tattoos

1.6

Privacy and Data Management Provisions

1.7

Final Provisions

2 CONSENT FORM
2.1

Annex No.

Privacy and Data Management Provisions

2.2

Annex No.

2.3

Annex No.

Sample Data Management Consent (for individual clients)

2.4

Annex No.

3 IDENTIFICATION DATA SHEET
4 PRIVACY AND DATA MANAGEMENT POLICY FOR INDIVIDUALS
4.1

This business policy contains the general legal, business, and data protection provisions related to the services provided by VeAn Tattoo Studio (hereinafter referred to as the Tattoo Studio).

Operator of VeAn Tattoo Studio (Company Information):

Company Name: TATTOO INDUSTRY Kft.
Registered Address: 1143 Budapest Stefánia út 59 B épl. 1 em. 1 aj.
Tax ID: 32497672-2-42
Represented by: Diána Bíró, Managing Director.

4.2

Scope of the Terms of Service

This business policy becomes effective as of 10.01.2022 and is valid indefinitely.

The provisions detailed in the business policy are binding on the parties without any special agreement.

With a separate agreement, the Client and the Tattoo Studio may mutually agree to deviate from specific provisions of this policy.

For matters not regulated by this policy, the applicable legal regulations shall apply.

This policy is prepared in both Hungarian and English.

4.3

Acceptance of the Business Policy by the Client

The Tattoo Studio ensures that the Client can familiarize themselves with this business policy in advance. The policy is public and can be viewed by anyone; it is made available in an easily accessible location and on the official website of the Tattoo Studio.

If the value of the service requested by the Client exceeds HUF 300,000 and the Client intends to pay in cash, we are obligated to conduct a customer due diligence process as required by the current laws on anti-money laundering and the prevention of terrorist financing.

During the customer due diligence process, we may request the presentation of documents (identification documents) that verify the data specified by law.

During identification, the Tattoo Studio is required to record the following data of the Client in writing:

a) For individuals:

  • Full name (including birth name),
  • Nationality,
  • Address,
  • Place and date of birth,
  • Mother's maiden name,
  • ID document number(s) and type(s).

For individuals, the Tattoo Studio is required to request the presentation of the following documents during identification:

  • For Hungarian citizens: an official identification document and proof of address,
  • For foreign individuals: a passport or personal ID that authorizes residence in Hungary, or a valid residence permit.

4.4

Unified Rules for Deposits and Appointment Bookings

If the service amount is expected to exceed HUF 7,000, the Tattoo Studio may request a deposit. The Client provides the deposit as a guarantee for the service to be performed. If the service cannot be provided at the scheduled time due to reasons within the Client's control, the deposit will be forfeited. If the service cannot be provided due to reasons within the Tattoo Studio's control, the Studio is required to return the deposit to the Client on the same day.

The Client acknowledges that they may modify the appointment once. This request must be made in person or by phone to the Tattoo Studio at least 7 working days before the originally scheduled time. If the Client does not accept the new appointment, the deposit will be forfeited.

The appointment given by the Tattoo Studio only applies to the design and placement agreed upon by the Client and the Tattoo Studio. If the Client wishes to change the design, it will be considered as a service that was not fulfilled due to reasons within the Client's control, and the deposit will be forfeited.

The parties will sign a separate agreement regarding the appointment and deposit.

4.5

Rules for Pre-Tattoo Consent Form

Before the service begins, the Client must sign a consent form that includes health-related questions. If the Client refuses to sign the consent form, they cannot receive the service. If the Client is 16 years of age but under 18, parental consent is also required. Both parents must sign the consent unless only one parent holds parental rights.

By signing the consent form, the Client acknowledges and accepts the following:

  • The tattoo artist is not responsible for any allergic reactions.
  • The artist is also not responsible for infections resulting from negligence during aftercare.
  • The color of the tattoo may fade due to individual factors or the characteristics of the skin. The Client may request a touch-up once within 1 month of the procedure.
  • It is not possible to restore the pre-tattoo skin condition.
  • Any previous skin treatments, laser hair removal, plastic surgery, or body modifications may affect the appearance of the tattoo.
  • A tattoo is a permanent procedure, and removal is not possible at the Studio.
4.6

Use of Images of Tattoos

The Tattoo Studio may take a photograph of the tattoo, which may only be used to showcase the work as a reference. The image may be uploaded to the Studio’s website or Facebook page. The images will be used anonymously. Commercial use of the photos and excessive public exposure are prohibited. The Client may expressly prohibit the use of the photos in the consent form specified in Section 5.

4.7

Privacy and Data Management Provisions

Privacy and Data Management provisions are detailed in a separate annex, which forms an integral part of this policy.

4.8

Final Provisions

This policy enters into force on the day of its signing.

Annex
Privacy and Data Management Provisions

Definitions:

  • Personal data: Any information relating to an identified or identifiable natural person ("data subject"). A natural person is identifiable if they can be identified, directly or indirectly, based on identifiers such as name, number, location data, or online identifiers, or based on one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
  • Data processing: Any operation or set of operations performed on personal data or data sets, whether automated or not, including collection, recording, organization, storage, modification, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Data controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data.
  • Data processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
  • Recipient: A natural or legal person, public authority, agency, or another body to whom or with whom personal data is disclosed, whether or not they are a third party.
  • Data subject's consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
  • Data breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Principles of Personal Data Processing

  • Personal data must be processed lawfully, fairly, and transparently.
  • Personal data must be collected for specified, explicit, and legitimate purposes.
  • Personal data must be adequate, relevant, and limited to what is necessary.
  • Personal data must be accurate and kept up to date.
  • Personal data must be stored only as long as necessary.
  • Personal data must be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing.

The data controller is responsible for compliance with the above principles and must be able to demonstrate such compliance ("accountability").

5 Adatkezelések Panaszkezelés
5.1

The fact of data collection, the scope of data processed, and the purpose of data management:

  • Personal Data
  • Purpose of Data Management

DataPurpose

  • Last Name and First Name - Identification, communication.
  • Email Address - Communication.
  • Phone Number - Communication.
  • Billing Name and Address - Identification, handling quality complaints, queries, and issues related to ordered products.
5.2

Scope of individuals affected: All individuals who have lodged a quality complaint or made a complaint.

5.3

Duration of data processing and the deadline for data deletion: Copies of records, transcripts, and responses regarding the lodged complaint must be retained for 5 years, according to Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

5.4

Persons authorized to access the data, potential data processors, and recipients of personal data: Personal data may be handled by the data controller's sales and marketing employees in compliance with the principles outlined above.

5.5

Information on the rights of individuals concerning data management:
The individual may request access to, correction, deletion, or restriction of the personal data processed by the data controller. They may object to the processing of such personal data and have the right to data portability. Additionally, the individual has the right to withdraw their consent at any time.

5.6

Methods for initiating access, deletion, modification, or restriction of data processing, or objections to data processing:

5.7

Legal basis for data processing: Article 6(1)(c) of the GDPR, and Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

5.8

Please note that:

  • Providing personal data is a contractual obligation.
  • The processing of personal data is a prerequisite for entering into the contract.
  • You are required to provide personal data so that we can handle your complaint.
  • Failure to provide the required data may result in us being unable to handle your complaint.
6 Social Media
6.1

Fact of data collection, scope of processed data: The name registered on Facebook/Google+/Twitter/Pinterest/YouTube/Instagram, etc., and the user's public profile picture.

6.2

Scope of individuals affected: All individuals who are registered on Facebook/Google+/Twitter/Pinterest/YouTube/Instagram, etc., and have "liked" the website.

6.3

Purpose of data collection: Sharing, "liking," and promoting certain content, products, promotions, or the website itself on social media platforms.

6.4

Duration of data processing, deadline for data deletion, persons authorized to access the data, and information on individuals' data management rights: The source of the data, its processing, transfer methods, and legal basis can be found on the relevant social media platform. Since data processing occurs on social media, the duration, method, and options for deleting or modifying the data are subject to the rules of the respective social media platform.

6.5

Legal basis for data processing: The voluntary consent of the individual to the processing of their personal data on social media platforms.

7 Customer Relations and Other Data Management
7.1

If any questions or issues arise regarding the services of the data controller, the individual may contact the data controller via the methods provided on the website (phone, email, social media, etc.).

7.2

The data controller will delete any emails, messages, or data provided via phone, Facebook, etc., including the name, email address, and other voluntarily submitted personal data of the inquirer, no later than 2 years after the data is provided.

7.3

For any data processing not listed in this notice, information will be provided at the time of data collection.

7.4

In the event of an official request from authorities or based on legal authorization from other entities, the Service Provider is obligated to provide information, disclose, transfer data, or make documents available.

7.5

In such cases, the Service Provider will only disclose personal data to the requesting party as much as is necessary to achieve the purpose of the request, provided the specific purpose and scope of the requested data are clearly indicated.

8 Employee Data Management
8.1

When establishing an employment relationship, the employee provides the personal data necessary for the establishment of the employment relationship, as well as for exercising the rights and fulfilling the obligations arising from the employment. The data controller does not collect or manage any other data related to employees beyond this. The legal basis for personal data management is the employee's consent and the Hungarian Labor Code.

8.2

The personal data processed includes the following:

  • Personal data as defined by the law on taxation,
  • Personal data as defined by the law on social security benefits and their coverage,
  • Personal data as defined by the law on mandatory health insurance benefits.
8.3

Persons authorized to access the data: the Managing Director of the data controller and the appointed accountant.

8.4

The data controller sends its employees for mandatory annual medical fitness examinations. The medical fitness certificate issued based on the examination must be handed over to the data controller. However, in addition to the employee's personal data, it may only indicate whether the employee is fit or unfit for the position. Accordingly, the data controller does not manage any sensitive data related to the employees, either for the purpose of the medical fitness examination or for any other purpose.

8.5

The duration of data management is until the last day of the 6th calendar year following the termination of the employment, unless a longer retention period is required by law.

9 Subcontractor Data Management
9.1

The purpose of data management in the case of contracts with subcontractors is to manage the essential contact details required for communication. Data management is carried out based on the contract between the data controller and the subcontractor.

9.2

Scope of the data processed: personal data included in the contract between the data controller and the subcontractor, primarily the contact person's name, phone number, email address, and contact address.

9.3

The personal data of subcontractors may be accessed by the company's management, the person performing the service, and the appointed accountant.

9.4

The duration of data management is until the completion of the contract, or for 8 years in accordance with Section 169 (2) of Act C of 2000 on Accounting.

10 Data Management Related to the Camera System
10.1

In accordance with the relevant provisions of Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation, the data controller uses an electronic surveillance system for property protection purposes, which records video footage. The camera system operates at the premises located at 1067 Budapest Teréz körút 9, ground floor 1.

10.2

If an electronic surveillance system is in place in a given area, we display a clear and visible notice in a manner that provides sufficient information to any third party entering the area. Employees are informed in writing about the camera system monitoring.

10.3

As a general rule, the recorded footage is stored for three working days, unless an activity or circumstance constitutes an exceptional case where, in accordance with the principle of purpose limitation and the interest-balancing test, as well as the applicable laws, it is necessary to retain the footage for longer than three working days.

10.4

The location of the footage storage: the camera device.

10.5

The data recorded by the electronic surveillance system may be viewed by the data controller and the store manager for the purpose of detecting violations and ensuring the proper operation of the system, in addition to those authorized by law.

11 Health Data Management
11.1

Health documentation data: any data that is health-related or may have an impact on the decision of the data controller.

11.2

The legal basis for data processing is the voluntary consent of the data subject.

11.3

If any personal data included in the health documentation is not provided, the data controller cannot guarantee the proper quality of the service. Due to the absence or incompleteness of the data, the data controller reserves the right to decide, at their discretion, whether or not to provide the service.

11.4

The duration of data processing is 5 years unless a longer retention period is required by law.

11.5

The personal data of subcontractors may be accessed by the company's management and the person performing the service.

11.6

Health data is not transferred or processed by third parties.

12 Rights of the Data Subject:
12.1

Right of Access


You have the right to receive feedback from the data controller on whether your personal data is being processed. If such processing is ongoing, you are entitled to access the personal data and the information listed in the regulation.

Right to Rectification


You have the right to request the data controller to correct inaccurate personal data concerning you without undue delay. Considering the purpose of the data processing, you also have the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.

Right to Erasure


You have the right to request the data controller to delete your personal data without undue delay, and the data controller is obligated to delete your personal data without undue delay under certain conditions.

Right to be Forgotten


If the data controller has made your personal data public and is obliged to erase it, the data controller, taking into account available technology and implementation costs, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested the erasure of any links to, or copies or replications of, the personal data in question.

Right to Restriction of Processing

You have the right to request the data controller to restrict the processing of your data if one of the following conditions applies:

  • You contest the accuracy of the personal data, in which case the restriction applies for a period enabling the data controller to verify the accuracy of the personal data.
  • The processing is unlawful, and you oppose the erasure of the data and request the restriction of its use instead.
  • The data controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims.
  • You have objected to the processing; in this case, the restriction applies pending verification of whether the legitimate grounds of the data controller override yours.

Right to Data Portability


You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the controller to which the personal data was provided.

Right to Object


You have the right to object, at any time, to the processing of your personal data for reasons related to your particular situation, including profiling based on those provisions.

Right to Object to Direct Marketing


If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling to the extent that it is related to direct marketing. If you object to the processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

Right Not to Be Subject to Automated Decision-Making, Including Profiling



You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This right does not apply if the decision:

  • Is necessary for entering into, or performance of, a contract between you and the data controller.
  • Is authorized by Union or Member State law applicable to the data controller and which also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests.
  • Is based on your explicit consent.

Time Limit for Action

The data controller shall inform you of the action taken on your request without undue delay and, in any event, within one month of receipt of the request.

This period may be extended by two months where necessary. The data controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the data controller does not take action on your request, they shall inform you without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

13 Security of Data Processing
13.1

The data controller and data processor, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the data processing, and the varying probability and severity of risks to the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk. These measures include, among others, as applicable:

a) Pseudonymization and encryption of personal data;
b) Ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and services used for processing personal data;
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the data processing.

14 Data Transfer
14.1

The data controller does not transfer data received from clients, particularly health data, to any third parties.

Notification of the Data Subject Regarding a Data Breach


If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the data breach without undue delay.

The notification to the data subject shall clearly and plainly describe the nature of the data breach and provide the name and contact details of the data protection officer or other contact point for further information. The notification shall also describe the likely consequences of the data breach and the measures taken or proposed by the data controller to mitigate the potential adverse effects of the data breach.

The data subject does not need to be notified if any of the following conditions are met:

  • The data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data breach, particularly measures such as encryption, which renders the data unintelligible to unauthorized persons;
  • The data controller has taken subsequent measures to ensure that the high risk to the data subject's rights and freedoms is no longer likely to materialize;
  • The notification would involve disproportionate effort. In such cases, the data subjects shall be informed by public communication or through similar measures that ensure the effective notification of the data subjects.

If the data controller has not yet notified the data subject of the data breach, the supervisory authority, after considering the likelihood of the data breach posing a high risk, may require the data subject to be informed.

Reporting a Data Breach to the Authorities


The data controller shall report the data breach to the competent supervisory authority under Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the breach, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must be provided.

Complaint Procedure


Any alleged violations by the data controller can be reported to the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information


1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing Address: 1530 Budapest, P.O. Box: 5.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

We use cookies to improve your browsing experience, to serve you personalized ads or content, and to analyze our traffic. By clicking "Accept", you agree to the use of cookies.