Privacy Policy

The information presented in this document covers my services and related activities advertised on the krisztiantota.com website and related social media pages (Facebook, Instagram, LinkedIn, 500px, Flickr).

Prior to the photo shoot I will make a written agreement with you and at the same time I will provide a separate sheet of paper elaborating the Privacy Policy, as well as the rules concerning privacy and copyrights. In this document (agreement) I will specify the duration and methods of storing and using the photographs.

Data Controller
Name: dr. Krisztián Tóta (self-employed)

Contact: info@krisztiantota.com

Representative: dr. Krisztián Tóta

Contact: info@krisztiantota.com

Registered address for correspondence: 2120 Dunakeszi, Gérecz Attila utca 1/B. 2. Hungary

Website of Data Controller: krisztiantota.com

Registration Number: 53684538

Contact of the Data Protection Officer
I do not engage in any business practice that necessitates the employment of a data protection officer.
How do I access the limited amount of personal data I control?
CONTACT – by permission [as Data Controller, I will handle all personal data and information made available to me according to the legislation governing the processing of personal data and the free flow of such data; in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (General Data Protection Regulation – GDPR)]

Permission for data control may be withdrawn any time by sending a message to info@krisztiantota.com. In this case I will immediately delete your personal data, except data I am obliged to store for other purposes (e.g. your name can be deleted from my contact list, but it will be retained on my invoices which I am legally obliged to keep). Data control prior to the withdrawal of permission will be considered legitimate.

Activity Personal data involved Purpose of data management Duration of data management
Contact by telephone name, telephone number Contact via telephone or electronic mail, information request regarding my services, request for a call back. Until the withdrawal of permission. Also, call list is deleted every month.
Direct contact via e-mail:

 

name, e-mail address and any other personal data you disclose in your message Until the withdrawal of permission. The mailing system is reviewed every January.
Contact via contact form – “Send” button on the website name, e-mail address and the contents of your message
PROVISION OF MY SERVICES – legal contractual basis [GDPR Article 6. Paragraph (1) Point b)]
Activity Personal data involved Purpose of data management Duration of data management
Appointment request name, e-mail address, telephone number, message Appointment for photo shoot, keeping in touch in order to arrange the details 5 years, if my offer is accepted. In the absence of acceptance, the mailing system is subject to annual review; personal data is deleted latest at this point, or immediately upon request.
Order name, e-mail address, telephone number The purpose of managing the data which is essential for the identification of my customers is to keep in touch and fulfill the contract. 5 years
Signing user agreement name and personal identification of natural person (mother’s name, place and date of birth, address), self-employed entrepreneur’s name, address, registration number, tax number, name and contact information of the contact person of legal person partners, representative of the legal person Entering the terms of the contract in writing, with the details necessary to identify the contract partner and to fulfill the contract. Data are an essential element of the contract which must be concluded in writing. Until the expiry of the contract.
FULL REMUNERATION OF MY SERVICES – legal contractual basis [GDPR Article 6. Paragraph (1) Point b)]
Activity Personal data involved Purpose of data management Duration of data management
Payment via bank transfer name, bank account number Fulfilment of the contract with the payment method of the customer’s choice 1+8 years for the storage of bank statements;  SMS notifications deleted monthly
INVOICE – legal obligation [GDPR Article 6. Paragraph (1) Point c)]; Act C of 2000 § 169 paragraph (2) on Accounting (time limit for keeping documents); Act CXXVII of 2007 on Value Added Tax § 169 Point e) (mandatory elements of the invoice)]
Activity Personal data involved Purpose of data management Duration of data management
Issue of invoice billing name and address Fulfilment of the invoice obligation with the information required by law. Accounting documents must be kept for 1+8 years
SENDING NEWSLETTERS / eDM – by permission [GDPR Article 6. Paragraph (1) Point a; Act XLVIII of 2008 on the Basic Terms and Limits of Advertising Activities, Section 6 (1) – (3]

Consent may be revoked by sending a message to info@krisztiantota.com. In this case I will immediately delete your personal data, except data I am obliged to store for other purposes (e.g. your name can be deleted from my contact list, but it will be retained on my invoices which I am legally obliged to keep). Data control prior to the withdrawal of permission will be considered legitimate.

Activity Personal data involved Purpose of data management Duration of data management
Sending newsletters name, e-mail address Promoting my services, publishing my blog posts, sending news stories, introducing my new services to subscribers. Until unsubscription
MANAGING THE DATA OF LEGAL PERSONS AND CONTACT PERSONS – BASED ON LEGAL INTERESTS [GDPR Article 6. Paragraph (1) Point f]
Activity Personal data involved Purpose of data management Duration of data management
Managing the data of professional and business partners and contact persons the name, business address, telephone number, e-mail address, and occupation of the contact person Professional and business contact with partners I only contact occasionally For the duration of professional or business relationship; until objection
RELEASING PHOTOGRAPHS – by permission [GDPR Article 6. Paragraph (1) Point a); Act V of 2013 § 2:48 of Civil Code (The consent of the person concerned is required for recording image or sound and use thereof. The consent of the person concerned is not required for recording and use of crowd images or images of public appearance of a public figure.)]; and 72. § of LXXVI of 1999 on Copyright (In the case of a picture made to order, the consent of the person depicted is also required for the exercise of copyright.)

Consent may be revoked by sending a message to info@krisztiantota.com. In this case I will immediately delete your personal data, except data I am obliged to store for other purposes. Data control prior to the withdrawal of permission will be considered legitimate.

Activity Personal data involved Purpose of data management Duration of data management
Releasing images (on the krisztiantota.com website, Krisztián Tóta photographer Facebook page, Krisztián Tóta photographer Instagram page) image,
and possibly audio recording related to the image (for serial and / or separate captions)
presentation of activities, presentation of reference images Until the revocation of consent, or until deletion. I have no real influence on deletion from social media. I may remove the picture from my own site, but if it was shared even once, it cannot be deleted without a trace.
OPERATION OF SOCIAL MEDIA WEBSITES – by permission [GDPR Article 6. Paragraph (1) Point a]
Facebook, Inc. (‘Facebook’ | ‘Facebook Ireland’) and dr. Krisztián Tóta (self-employed) are joint data controllers, even though I only receive anonymous traffic statistics (‘Page Insights’) from Facebook, based on the technology offered by the site, as the administrator of my business (so-called ‘fan’) social networking sites. Data management by Facebook involves no more than anonymous statistics with the help of cookies – which are mentioned in this document and also elaborately explained in the Cookie Policy document. In this context, I hereby inform you that the consent also covers the transfer of data between the joint controllers.

However, given the relationship between the Joint Controllers, I would also like to inform you that I do not really have any authority over the full process of joint data management; my influence extends to the use of social media plug-ins on my website, the collection of data that may be obtained through Facebook’s built-in cookies, and their transfer to Facebook. After this transfer I am not responsible for any further use or management by Facebook of the data collected; that is the sole responsibility of Facebook.

For further information by Facebook about Page Insights Data, information used to create Page Insights, responsibility for your information used to create Page Insights, please see the following link:

https://www.facebook.com/legal/terms/information_about_page_insights_data (English)

Facebook Ireland and dr. Krisztián Tóta (self-employed) as the Page admin have entered into an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR. The processing of personal data for Page Insights are subject to the joint controllership arrangement (Page Insights Controller Addendum). For further information, please see the following link:

https://www.facebook.com/legal/terms/page_controller_addendum (English)

According to the Addendum, Page admins do not have access to the personal data processed as part of events but only to the aggregated Page Insights. Events used to create Page Insights do not store IP addresses, cookie IDs or any other identifiers associated with people or their devices aside from a FB user ID for people logged in to Facebook.

The events logged by Facebook in order to create Page Insights are solely defined by Facebook and cannot be set, changed or otherwise be influenced by Page admins.

I have posted information about joint data management and cookies on my Facebook page on the Notes tab.

Activity Personal data involved Purpose of data management Duration of data management
Krisztián Tóta photographer Facebook page name, public profile, public shares, likes, comments, private messages Posting my activities, publishing my reference images, keeping in touch with interested parties, publishing my blog posts and short news stories, promoting special offers and new services. Until liking and following the page is revoked. Prior data control will be considered legitimate.

 

Krisztián Tóta photographer Instagram page name, public profile, public comments, private messages Until the user unfollows the page. Prior data control will be considered legitimate.

 

Cookies
Cookies are small files placed on the device when you visit a website. Cookies have several functions. Among others, they gather information, remember the individual settings of visitors and generally make the use of websites easier for users.

I would like to inform you that I have linked my website to my two social networking sites (you can go to Facebook and Instagram, and you can share my posts on Facebook). These social networking sites also place cookies on your computer, including those that may collect personal information about you. However, as I mentioned, I do not get to know or see this data.

I use Google Analytics cookies to collect information about the behaviour, demographics, and interests of the visitors of my website. This will help me make my website clearer and easier to use in the future. These cookies are unable to personally identify you and they store your data collectively and anonymously. The IP address is only partially recorded.

Cookies are not operational until user clicks the relevant button. If you do not want social networking sites or Google Analytics to place cookies on your device, please make sure you choose the appropriate options in your browser.

You will find further information in the Cookie Policy document on how to disallow cookies in your browser.

Who else other than me has access to personal data?
Hosting service
Magyar Hosting Kft. (Hungarian Hosting Ltd.) (Registered address: 1132 Budapest, Victor Hugo utca 18-22. Hungary; Tax number: 23495919-2-41; Telephone number: +36-1-700-2323; e-mail: info@mhosting.hu)

Access to the full content of the site and mailing system as well as my newsletter mailing service.

Accounting
Gestio Könyvelő és Adószakértő Iroda Betéti Társaság (Gestio Accounting and Tax Advisors LP)  (Registered address: 1033 Budapest, Miklós utca 13. 2. em. 7. Hungary; Tax number: 28258429-1-41, Telephone number: +36-1-460-0391 and  +36-30-962-3389; e-mail: lenger.csaba@gestio.axelero.net)

Access to invoices issued to natural persons, and other accounting-related documents. They do not process any data other than recording and filing invoices.

Payment via bank transfer
Unicredit Bank Hungary Zrt. (Registered address: 1054 Budapest, Szabadság tér 5-6. Hungary; Telephone number: +36-1-325-3200)
Operating social media sites
Facebook, Inc., Menlo Park, California, USA

They provide the interface for my social networking sites through shared data management (Krisztián Tóta photographer Facebook, Krisztián Tóta photographer Instagram page)

Data transfer to third countries or international organizations
When transferring images, I use Google+, in addition to the services of the Dutch-registered WeTransfer B.V., so the only third country to which I transfer data is the United States. A declaration of conformity applies between the USA and the EU since 12.07.2016:

(https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en), which also applies to Google (https://policies.google.com/privacy/frameworks)

and Facebook (https://www.facebook.com/about/privacyshield).

Automattic complies with the GDPR by a contractual clause. (https://automattic.com/privacy/).

USER RIGHTS
You may exercise the following rights for the entire duration of data management:

a) Access to personal data

You have the right to ask for feedback on whether your personal information is being processed, and if so, why I am processing it, what data I am processing, to whom I transfer it, how long it is stored, what other rights you have, where to complain, etc.

b) The right to rectification

If I have misspelled your name, or got your telephone number, e-mail address or any other personal information wrong, I will correct or complete it upon request. Even if you request me to do so, I will not modify the photo you may have attached with your letter, or the photo I took of you, unless this is retouch work what we agreed on prior to taking the photograph. The right to rectification is therefore not unlimited. If I give your personal information to someone, I will tell them to make the necessary rectifications too.

c) The right to erasure („The right to be forgotten”)

You do not even have to ask; I delete all your personal information without undue delay if you have withdrawn your consent to my permission-based data management (unless there is some other legal basis for data management) or I no longer need the data for the purpose for which I requested it.

In the unlikely event of me managing any of your personal data unlawfully, I will delete the data concerned of course.

Should you object to my data management based on legitimate interests, I will delete the personal data concerned unless there is an overriding legal reason for continued data management.

I only release personal data after receiving written permission to do so; therefore the right to be forgotten does not make sense in this context. If you wish to exercise your right to be forgotten, I will do my utmost to grant your wish.

d) The right to restriction

If you think I do not manage your personal data with precision, you may request restriction until we clarify the matter.

I have already mentioned that it is highly unlikely that I would manage your personal data unlawfully, but in this case you may request restriction instead of deletion.

It is possible that I might want to delete certain data which you need, for example in order to exercise your legal rights. In this case you may request restriction instead of deletion of the data in question, which means I keep it a little while longer.

If you object to your personal data being processed, the restriction is valid until there is a decision on whether my rightful reasons as data controller take precedence over your rightful reasons.

In this case my rights are restricted to data storage only.

e) The right to object

You may object to the processing of your personal information if my data management is based on a legitimate interest. This may only be the case with the contact details of my professional partners, and in the scope of my archiving activities (as specified in the notice elaborating the considerations of intended use), and it is not the legal basis of my data management for other activities. Exception to the right to object may be taken if I, as a data controller, I prove that data management is justified by compelling legitimate reasons which take precedence over your interests, rights and freedoms, or which are related to the filing, enforcement or defence of legal claims.

f) The right to data portability

You may request that your automated data be given to you in a structured, widely used, machine-readable format, or sent to another data controller. You may only request this if the legal basis for my data management is consent or contract. I will not hand over raw images in this case (as specified in the notice elaborating the considerations of intended use).

Complaint against my data management
If you believe that I manage your personal information incorrectly, please let me know so that we can discuss it. My e-mail address: info@krisztiantota.com

If you do not wish to discuss your complaint with me, you can also turn to the ”Nemzeti Adatvédelmi és Információszabadság Hatóság” (NAIH; National Authority for Data Protection and the Freedom of Information). Address: 1055 Budapest, Falk Miksa u. 9-11.; telephone number: +36 (1) 391-1400; e-mail: ugyfelszolgalat@naih.hu; postal address: 1530 Budapest, Pf. 5.).

Without affecting your right to complain to the supervisory authority (NAIH), you may enforce your rights in court, in a civil lawsuit. The court has jurisdiction to hear and determine the lawsuit. You will need to file a lawsuit with the court at your place of residence (for a list and contact details of the courts, see this link: http://birosag.hu/torvenyszekek).

Addendum on joint data management of Facebook and dr. Krisztián Tóta (self-employed):

According to the information available on Facebook’s website about Page Insights, Facebook Ireland and dr. Krisztián Tóta (self-employed) as the Page admin have agreed that Facebook Ireland is responsible for providing you with information about the processing for Page Insights and for enabling you to exercise your rights under the GDPR. Learn more about these rights in your Facebook settings. You can also contact Facebook Ireland’s data protection officer whose contact details can be found in Facebook Ireland’s Data Policy.

Facebook and dr. Krisztián Tóta (self-employed) as the Page admin have agreed that the Irish Data Protection Commission is the lead supervisory authority responsible for overseeing the processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission or with your local supervisory authority.

Automated decision making
I do not engage in any activities related to automated decision making and profiling.
Adequate security
In developing my security system I have taken into consideration the state of science and technology, the nature, scope, circumstances and purpose of data management, and the likelihood and severity of the risks to the rights and freedoms of natural persons.
Other regulations
My privacy Policy takes effect from the 14th of December 2019, and I will review the contents as soon as there are new guidelines and regulations which make updating necessary. If I enter any new field of business, introduce new marketing tools or engage further data processors, I will update, supplement or change this Privacy Policy document accordingly.

For any issue not covered above, please refer to the rules and regulations of the GDPR.

Dunakeszi, 6 April 2022