Data Protection Declaration

Oktatási és Nyelvi Központ Kft. places great emphasis on the secure handling of the personal data of all visitors to its website.

In the course of drafting the provisions of the present declaration, our company paid particular attention to being in compliance with the European Parliament and Council’s General Data Protection Regulation (GDPR 2016/679), with the Information Self-Determination and Information Freedom Act ( Act CXII/2011), and with the relevant provisions of the Civil Code (Act V/2013).

Contents:

1. Definitions

2. The purpose of data processing

3. Legal grounds for processing data

4. The scope of the data processed

5. The duration of processing the data

6. Principles and modes of data processing

7. Use of cookies

8. Webpage analysis and marketing

9. Information regarding data protection measures

10. Rights and legal recourse of affected persons

1. Definitions

1.1. Data Controller: the person (or business) who – alone or together with others – determines the purposes and means of Data Processing, makes decisions about data processing, and executes these decisions or have them executed by the Data Processor.

In the case of the present Declaration, Oktatási és Nyelvi Központ Kft. is to be regarded as the Data Controller.

Business address: 1052 Budapest, Váci utca 11/B Magyarország

Company registration number: 01 09 353312

Telephone: +36 70 336 5473

E-mail: budapest3@berlitz.hu

Web: https://www.berlitz.com/hu-hu

henceforth: Data controller or Berlitz

Our data protection officer:

Michal Nadzon, e-mail: michal.nadzon@berlitzpraha.cz

1.2. Data processing: any operation or set of operations performed upon Personal data or sets of Personal data, regardless of the means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as well as the making of any photographic, audio, or video recording of such data.

1.3. Personal data: any data or information by which a natural person User (Data Subject) – directly or indirectly – may become identifiable. This applies not only to data that can be connected directly to the User but to any inferences that can be drawn from these data regarding the User.

1.4. Data transfer: making the data available to a specific third party.In this regard, a third person is any natural or legal person who is not identical with the User, Data Controller or Data Processor.

1.5. Data Processor: service provider who processes personal data on behalf of the Controller. In the present Declaration the Data Processor is:

Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043 USA

1.6. User: the natural person who gives his or her personal data to the Data Processor.

1.7. Website: www.berlitz.com/hu, the website operated by the Data Controller.

2. The Purpose of Data Processing

2.1. Visitors on the Website may use the site without providing any of their personal data.

2.2. In order to gain access to services available at certain parts of the website (eg. the „Language Competency Level Tests” zone) or to make a request, it may be necessary for User to provide his or her personal data.

2.3. Purposes of processing the personal data provided by Users

a) provision of online content;

b) the identification of User, establishing and maintaining contact with User

c) determining the rights of User’s access ( to services available to User);

d) direct marketing, and marketing-related communication (eg. news letter etc.)

e) ad hoc notification about special offers

f) ad hoc notification about events;

g) generating statistics and performing analyses;

h) development of our information technology system.

If the Data Controller wishes to use the personal data at his or her disposal for any purpose other than the above purposes, he or she must inform User about all other purposes and provide User with all relevant information about the alternate use in e-mail prior to the intended use.

3. Lawfulness of data processing

3.1. Controller processes the personal data of the Users primarily on the basis of their voluntary consent. Where processing is based on consent, the Users have the right to withdraw their consent to the processing of their data at any time, which however does not affect the lawfulness of processing based on consent prior to the withdrawal of consent. The processing of User’s personal data is conditional on User’s voluntary and well-informed declaration of consent, by which User gives his or her express consent to Controller to use the personal data provided by User or any personal data generated about him or her in the course of using the Website.

3.2. Data processing may also be conducted by Controller or a third party if they pursue their legitimate and lawful interest unless User’s interests and basic rights to the protection of their personal data supersede and take priority over this interest. Data processing for the purpose of direct marketing is based on Controller’s legitimate interest.

3.3. Controller may only use personal data for other purposes than for which they were originally collected for if the new purpose/processing is compatible with the original purpose of data processing for which the personal data was originally collected.

3.4. Data transfer to the Controller defined in the Present Declaration may occur without User’s specific consent. Any further disclosure of personal data to a third party or to the authorities – unless otherwise dictated by law – may occur only by legal warrant or with the express prior consent of User.

Personal data may only be transferred abroad if User has expressly consented to it, or failing this, beside the lawful processing of personal data,the proper protection of personal data is also ensured in the third country.

4. Scope of data processed

Purpose of processing data

Data processed

  • Sending News Letters

Name

  • Sending advertising packages

E-mail address

  • Marketing communication

Phone number

  • Sending information about special sales

  • Events

5. Duration of data processing

Data processing must be stopped if all the purposes of data processing defined in 2.3 cease to exist.

Legal basis of data processing

Duration of data processing

Free consent of Data Subject (User)

Until User’s withdrawal of consent if the data processing has no other lawful basis.

The legitimate interest of Controller

For the duration determined by Controller (assuming it is proportional to the extent to which the data subject’s rights to his or her personal data are restricted)

6. The ways and principles of data processing

6.1. Controller shall process personal data lawfully, fairly, and in a transparent manner, as well as in accordance with the laws in force and the provisions set forth in the present Declaration.

6.2. Following the principles of purpose limitation and data minimization, the personal data processed by Controller shall be adequate and relevant to the purposes of the processing , and limited to the extent and duration necessary for the attainment of these purposes set forth in the present Declaration and in the governing law.

6.3. Controller does not check the personal data given by the data subjects (Users). The data provider (User) is solely responsible for the adequacy of the personal data given.

6.4. The personal data of individuals under 16 years of age can only be processed with the consent of an adult person who exercises parental rights over them. Controller cannot verify the entitlement of the consenting person or to check the declaration of consent, thus User or the person exercising parental rights over him or her vouches for the legality of the consent. In the case of a person younger than 16 years of age, in the absence of a declaration of consent, Controller shall not process any personal data.

6.5. The personal data of the User (as data subject) may only be disclosed to those employees of the Controller (and Processor) for whose work this is necessary. These employees of the Controller may structure the personal data for commercial, marketing, or direct marketing purposes and may create identifiable or anonymized data bases of them.

6.6. Personal data processed by Collector may not be transferred to any third person other than the one Data Processor has named in the present Declaration. Exempt from the present provision is the use of data for statistical purposes in aggregate form, which may not contain any data in any form that can make the data subject identifiable, thus this use of data does not qualify as data processing or data transfer.

In certain cases– when there is an official court or police warrant, or when Controller’s interests or his or her ability to provide service are at risk due to legal action regarding intellectual, property or other rights or when a probable cause for this action exists – Controller may make User’spersonal data available to third parties.

6.7. Controller shall notify User and all other parties to whom he or she has previously transferred User’s personal data for processing purposes of any correction, limitation or erasure of personal data processed by him or her. This notification is not necessary if the purpose of data processing does not hurt User’s legitimate interests.

6.8. Controller is responsible for the security of personal data and shall implement appropriate technical and organizational measures and processes that ensure that the recorded, stored and processed data be protected.Controller also ensures that these data may not be accidentally lost, unlawfully destroyed, or accessed, used, altered or distributed without proper authorization. Controller shall call on all third parties to whom personal data is transferred to act in accordance with the same data protection requirements.

7. Use of cookies

7.1. During visits to the Website, the servers used by Berlitz may record certain non-personal data that cannot identify the visitor personally (e.g. name of internet service provider, type of browser used, IP address, etc...).

We record information regarding your visits to our Website in a special file (log). We process the following personal data: the name of each webpage opened, date and time of access, the amount of data transferred, type and version of browser, your operational system, reference URL (webpage previously visited), your IP address and service provider seeking access.These data are necessary for the secure operation of the website. Therefore, we process these personal data based on our legitimate interests as defined in point f of Section 6 of the GDPR.Logs are automatically deleted after seven days unless they are retrieved during this period for the purposes of clarification or proof in a specific investigation of a legal infringement.

7.2. During visits to the Website, Berlitz may store certain information, commonly referred to as „cookies”, on your device.A „cookie” is a set of data that does not allow the unique identification of the visitor, but it contains information about traffic on the Website (e.g. which part of the website was viewed and when) and about the time spent there.

7.3. Visitors have the option to disallow cookies in their browser settings. Users may be able to access the Website even if cookies are not allowed, but this may make loading the pages slower or may prevent the use of certain functions.

List of cookies used by the Website:

Name

Duration of storage

Description

OptanonConsent

1 year

It stores information about the cookie categories used on the Website and monitors whether or not the users have given consent or withdrawn consent to the use of each given category. This allows the owners of a website to prevent the browser from selecting the settings of cookies in a category if the user has not given consent to it. It does not contain any information that could be used to identify the visitor.

OptanonAlertBoxClosed

1 year

This cookie is set after the visitors have seen the information regarding cookies, and in certain cases, only when they have actively closed the warning. It allows the website to avoid having to display the message for the user more than once. It does not process any personal data.

optimizelyRumLB

Session

Functionality cookie

AWSELB

Session

Functionality cookie

_gat_UA-36584533-1

A few seconds

This is a pattern-type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website to which it relates. This is a version of the _gat cookie, which is used to limit the amount of data recorded by Google on high-traffic volume websites.

_hjTLDTest

Session

Performance cookie

_gid

A few seconds

This cookie is associated with the service of Google Universal Analytics. It stores and refreshes values attached to every single visited page.

optimizelyEndUserId

A few seconds

Optimizely is a cookie set by a website optimization platform. This is a unique user identification cookie.

fs_uid

1 year

Performance cookie

_ga

2 years

This cookie’s name is associated with Google Universal Analytics, a significant update of Google’s most often used analytical service. This cookie is used for distinguishing individual users by assigning them a randomly generated client identification number. It is active in every page request on the website, and it is used to calculate visitor, session, and campaign data for website analysis reports.

fr

A few seconds

It is a marketing cookie. It contains a unique browser and user identification combination, which is used for targeting ad campaigns.

GPS

A few seconds

This is a marketing cookie.It collects user data through videos embedded in YouTube sites and aggregates them with other profile data gathered by Google services with the aim of directing targeted ads for visitors to their own websites and a wide range other websites.

YSC

A few seconds

This is a marketing cookie. It prevents malicious sites from acting on behalf of a user without that user’s knowledge. It collects user data through videos embedded in YouTube sites and aggregates them with other profile data gathered by Google services with the aim of directing targeted ads for visitors to their own websites or and a wide range other websites.

VISITOR_INFO1_LIVE

This is a marketing cookie. This cookie is used as a unique identifier in tracking the viewing of videos.

A few seconds

7.4. We store all your personal data relating to the operation of the present website through our web hosting service. This storage is indispensible for the operation of the website. For this reason, we process these personal data based on our legitimate interest in accordance with point (f) of Article 6 of the GDPR. We use the hosting services of service providers to whom we transfer the above data relating to the operation of our website.

7.5. In order to ensure efficient customer service, Controller uses acustomer relationship management system called Salesforce provided by representatives of Salesforce.com Germany GmbH, Erika-Mann-Str., 63, 80636 München, Germany („Salesforce”) in the Republic of Hungary. We use Salesforce to collect, integrate, and evaluate client data processed on our website (addresses, availability, client accounts, order information etc.). These data are uploaded to Saleforce’s servers during processing. The legal basis for this processing is the pursuit of our legitimate interest in improving our customer service as defined in point (f) article (1) of the GDPR. Salesforce is a cloud service, which means that the provision of services relies on the use of servers located at various places around the world. For this reason, it may happen that your data is transferred outside the European Union.

Salesforce ensures the proper level of data security by adhering to binding corporate regulations when transferring personal data to third countries; in the case of data transfer to the United States this goal is achieved by following the provisions of the Certification Under the EU-US Privacy Shield and the Swiss-US Privacy Shield Framework.

Salesforce’s certificate can be found at following links:

https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active

https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Privacy/privacy-shield-notice.pdf

For more information regarding the protection of personal data, please visit https://www.salesforce.com/company/privacy

8. Website analysis and marketing

8.1. To ensure certain functions, we install on your computer a number of small data packages (cookies) shared with other service providers. Some of the cookies we use get deleted when you close your browser („session cookies”). Other cookies remain on your device and allow us to recognize your browser at your next visit („persistent cookies”).

You may delete all cookies stored on your computer, and you can set your browser to completely block the installation of any cookies on your device.

In this case, however, you may need to adjust your settings every time you visit our website.The use of certain functions on our website may be limited in this case.

8.2. We use cookies in connection with the following functions:

aa) Google Analytics

We use the services of Google Analytics provided by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043 USA. To be able to perform its services, Google needs to use certain cookies. They generate data about your visits to our website (including your IP address), which are then sent to Google’s server in the USA, where they are stored. The stored information is then used to analyze the use of our websites and to report to the website’s operator about the activities on the website, as well as to assist in the provision of other services related to the website. The personal data so obtained is processed with your consent in accordance with point (a) of article (1) of the GDPR. Google shall not associate your IP address with any other data possessed by Google under any circumstance.

This website usesthe Google Analytics service with the "anonymizeIp()" extension. This means that the IP addresses are truncated before they are sent to the United States. This generally prevents the stored personal data from being associated with any given individuals. Only in exceptional cases are IP addresses transferred in full to the server in the United States and truncated there.

You have the option to object to the processing of your personal data any time in the future by disallowing the Google Analytics extension in your browser at http://tools.google.com/dlpage/gaoptout?hl=en or by clicking at this link.

Please note that information regarding data processing conducted by Google LLC can be found at the following addresses in the Google Partner network:

https://policies.google.com/technologies/partner-sites?hl=en

https://policies.google.com/technologies/ads?hl=en

Google certificate:

For further information regarding the protection of personal data, please visit: https://policies.google.com/privacy?hl=en&gl=de

bb) Facebook Remarketing/Retargeting: Facebook Custom Audiences (Pixel/Cookies)

We use so-called tracking pixels on our websites, which means that when you visit our website, a cookie file is installed on your computer. This file is permanently uploaded to your device. These cookies then let us collect information in order to determine which ads or which third-party websites have directed users to our website.We use this information and the analysis of the statistical data provided by this file for the optimization of our website.We process the obtained data for the optimization of our website for marketing purposes according to our legitimate interest based on point (f) in paragraph (1) of article 6 of the GDPR.

The cookie files may not be used for the personal identification of the users. The data are anonymized, and no information can be inferred from them regarding the personal identity of the users. All information relating to the use of the present website generated by this cookie file (including your IP address) is stored and processed by the server of Facebook Inc. (recently renamed as Meta Platforms, Inc. ) in the United States.

Facebook certificate:

For further information regarding the protection of personal data, please visit: https://www.facebook.com/help/568137493302217

By clicking at the link, you can withdraw your consent to the collecting and storing of your personal data at any time.

cc) Optimizely

For the continual improvement of our website we use the analytical service Optimizely provided by Optimizely Inc,631 Howard Street, Suite 100, San Francisco, CA 94105, USA („Optimizely“). Optimizely uses cookie files.These cookie files process information regarding the visits to the website, the date and time of viewing, the URL link (previously visited site), your browser, and your use of the website and your IP address. Please note that we the Optimizely system on our website with IP anonymization. This truncates your IP address before sending it to the server in the United States. This process generally prevents the stored personal data from being directly associated with any given individuals. Only in exceptional cases are IP addresses transferred in full to the server in the United States and truncated there. We process the data for the optimization of our website for marketing purposes according to our legitimate interest based on point (f) in paragraph (1) of article 6 of the GDPR.

The certificates of Optimizely, Inc.:

If you wish to find out more about Optimizely’s data protection policies, please visit here: https://www.optimizely.com/de/privacy/

You can stop your personal data from being processed by Optimizely in the future by setting a deactivation cookie file at https://www.optimizely.com/opt. Please note that if you delete the cookie files from your browser, then next time you need to click on the link again.

9. Data security declaration

9.1. The Controller has ensured the security of the personal data obtained and has implemented the technical and organizational measures and procedures that insure and are able to demonstrate that the processing is in accordance with the GDPR, the Information Act, and other data protection and confidentiality rules.

Controller’s information technology system and network are duly protected from computer assisted fraud, spying, sabotage, vandalism, fire and flooding, as well as from computer viruses, hacker attacks and service-blocking attacks. The operator provides both server-level and application-level safeguards and procedures to ensure the security of the data.

9.2. In addition to the responsibilities mentioned above, during the course of the automated handling and processing of personal data, Controller and Processor also ensure the following:

• the prevention of unauthorized data entry,

• the prevention of unauthorized use of the data processing system,

• the verifiability of data transfer,

• the scope of the data entered, date of entry, identity of the person entering the data (log keeping),

• the recoverability of data (security back-up) in case of system break-down or malfunction,

• the reporting of errors if they occur

9.3. Controller implements every possible measure to prevent any data security incident (any breach of security that may cause or lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to personal data transferred, stored or in any other way processed), but if such incident does still occur, will make the necessary steps to prevent or mitigate the consequences of such a breach without any delay.

Controller’s responsibilities in case of a data security breach:

• the data breach must be reported, without undue delay, if possible, within 72 hours from the time it was discovered, to the relevant supervisory authority;

• if the data breach may potentially present a high risk for the rights and freedoms of natural persons, Controller shall notify these data subjects (Users) of the breach without any undue delay;

• keeps a record of data breaches.

Data Processor’s responsibilities in the case of a data breach: reports the data breach that has occurred under his or her watch to Controller without any undue delay after discovery.

10. The data subject’s (User’s) rights and possible legal recourse

10.1. User has the right to request that Controller inform him or her about the processing of his or her personal data, the data processed, their source, the purpose, legal basis, and duration of the processing, Data Processor’s name, address, and activities in relation to the data processing, as well as about the measures taken to prevent any data breach or, in case of such a breach, about the circumstances, consequences of it, and – in the case of data transfer – about the transfer’s legal basis and its recipient.

Controller shall answer to User’s request for information in writing within up to 25 days of the submission of the request. The provision of the requested information is free of charge. If User submits to Controller a new request for information for the same set of data within the same calendar year, the fee for the repeated request is 10.000 HUF, which must be paid prior to the submission of the request to Controller’s bank account (11600006-00000000-93634348). Controller is not required to provide repeated information if this fee has not been paid.

10.2. The data subject (User) shall have the right to obtain from Controller the rectification, erasure, or blocking of his or her personal data.

In case of a request for rectification, Controller shall correct User’s data and shall notify User of the correction within 15 days of the submission of the request. If Controller notices that the personal data are incorrect, and the correct personal data are already at Controller’s disposal, then Controller has the right to correct the personal data within his or her purview. Controller shall notify User of the correction in writing.

The personal data must be erased if User so requests. The erasure may be denied if a) the processingis necessary for exercising the right of freedom of expression and information , or b) if the processing of Personal data is in compliance with a legal obligation under relevant law; or c) if they are necessary for the establishment, exercise, and defense of legal claims. Controller shall notify User of the denial of the erasure request, indicating the reason for the denial. The personal data must also be erased if they have been unlawfully processed, are incomplete or incorrect and this condition cannot be rectified legally, the purpose of the processing does no longer exist, the maximum period for which the storage is allowed by law has expired, or the erasure has been ordered by a court or relevant authority. After the personal data have been erased following a request to do so, the previous (erased) data shall not be restored.

Instead of erasing them, Controller will block the personal data if User requests it, or if it may be assumed, based on the available information, that the erasure may violate the data subject’s (User) lawful interests. The personal data thus blocked may only be processed as long as the purpose for processing that prevented the erasure in the first place exists.

10.3. If Controller denies User’s request to rectify, block or erase User’s personal data, Controller must inform User of the material and legal reasons of the decision in writing or, with User’s consent,in electronic form within 25 days of the submission of the request, and shall also inform User of his or her options of lodging a complaint with a supervisory authority or seeking legal recourse.

10.4. User, as the data subject, has the right to object to the processing of his or her personal data. Controller shall review the objection, decide on it, and inform User of the decision in writing within 15 days of the submission of the request. If the objection has legitimate grounds, Controller shall cease the processing of the personal data and shall block them. If User does not accept Controller’s decision, or if Controller has not informed User of his or her decision within the 15-day deadline, User may go to court within 30 days of receiving the decision or of the last day of the 15-day period within which the decision should have been issued.

10.5. Objections and request for information, rectification, erasure, or blocking may be sent to the following addresses:

• mailing address: 1052 Budapest, Váci utca 11/B

• e-mail: budapest1@berlitz.hu

10.6. Regarding the processing of his or her personal data,User may lodge a complaint directly with the National Authority for Data Protection and Freedom of Information (mailing address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

10.7. If User’s rights have been violated, he or she may go to court.The lawsuit will be adjudicated in general court.The lawsuit, if so chosen by User, may be filed with the competent court that has jurisdiction over User’s domicile or place of residence.At request, Controller shall inform User of the possibilities and means of seeking legal recourse.