About the Data Processing Carried Out by Star Studios Kft.

Effective date: April 8, 2024

I. Name and Contact Details of the Controller

Name: Star Studios Limited Liability Company
Address: 1024 Budapest, Keleti Károly utca 29/B, 3rd floor, no. 17.
Company registration number: 01-09-399939
Tax number: 27836741-2-41
Legal representative: Dr. Shalay Antony, managing director
Phone: +36-30/242-2076
Email: starstudioskft@gmail.com
Website: www.nalam.eu
Contact person: Tamás Rochlitz

II. Introductory Provisions and Basic Terms

The Controller carries out its activities for the purpose of renting a photo and film studio, a showroom and event venue, and providing related services.

Within the scope of the activities described above and in relation to its operations, the Controller informs data subjects via this privacy notice about all facts related to the processing of personal data—particularly about the identity of the controller, the purpose of processing, the categories of data processed, the legal basis for processing, the duration of processing, the use of processors, the persons entitled to access the data, the security measures, and the rights and remedies of data subjects.

This notice is available in printed form at the Controller’s registered office in one copy, and is continuously available in electronic form on the Controller’s website. The Controller processes data lawfully, fairly, and in a transparent manner for the data subject. To ensure lawful, fair, and transparent processing, the Controller prepares a clear and understandable privacy notice for data subjects. The Controller implements appropriate technical and organizational measures to guarantee the security of data subjects’ personal data. The Controller does not use personal data for purposes other than those set out in this notice. The Controller processes only the data disclosed to it by the data subject or otherwise lawfully obtained, and does not disclose such data to third parties—except in cases specified by applicable law. Personal data may be transferred only in accordance with relevant legal provisions and in the cases set out in this notice, to the extent defined therein.

In performing data processing within its activities, the Controller complies with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and with Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (the “Infotv.”).

Basic terms:

personal data: any information relating to an identified or identifiable natural person (“data subject”) (e.g., name and residence of a natural person using the service);

data subject: any identified or identifiable natural person based on the personal data (under this notice, the data subject is the natural person using the service);

processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the processing defined in this notice, the Controller is the controller;

processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller under a contractual relationship;

supervisory authority: in Hungary, the National Authority for Data Protection and Freedom of Information (NAIH), responsible for ensuring the right to informational self-determination.

III. Purposes and Legal Bases of Processing, Categories of Data Subjects and Personal Data

III.1. Processing Related to Invoicing and Retention of Accounting Documents

III.1.1. Purpose of processing and categories of data processed

For issuing and retaining accounting documents (invoices)—based on a legal obligation—relating to the services provided, the Controller processes the following categories of personal data:

1. Billing data (data subject’s name, billing address, and tax number).

Categories of data subjects: natural persons using the services.

III.1.2. Legal basis and duration of processing

Legal basis: GDPR Article 6(1)(c); processing is necessary for compliance with the Controller’s legal obligation set out in Section 169(2) of the Accounting Act. The Controller has a data reporting obligation to the National Tax and Customs Administration (NAV) with respect to issued invoices pursuant to Section 257/G and Annex 10 points 1, 4, and 6 of Act CXXVII of 2007 on Value Added Tax.

Duration: the retention period for the data is at least 8 years as defined by Section 169(2) of the Accounting Act.

III.2. Processing of Data Provided via the Contact Form on the Controller’s Website

III.2.1. Purpose of processing and categories of data processed

For contacting and maintaining contact in connection with the provision or use of services, and for booking appointments, the Controller processes the following categories of personal data:

1. Name provided by the data subject

2. Data subject’s email address

3. Subject of the inquiry and the content of the text message provided by the data subject

Categories of data subjects: natural persons using the services.

III.2.2. Legal basis and duration of processing

Legal basis: the data subject’s consent (GDPR Article 6(1)(a)); in case of using the Controller’s core services, performance of a contract or taking steps prior to entering into a contract (GDPR Article 6(1)(b), Section 13/A(1) of the E-commerce Act).

Duration: contact details based on consent are processed until consent is withdrawn.

I.1. Processing When Managing Reviews and Comments

(Note: numbering in the source appears inconsistent; this section concerns reviews/comments.)

III.2.3. Purpose of processing and categories of data processed

To improve and promote services, document reviews, and distinguish visitors/customers, the Controller processes the following categories of personal data:

1. Username and/or name

2. Likeness/image (optional)

3. Text of the review

Scope of data subjects: all data subjects who write/publish comments and reviews.

III.2.4. Legal basis and duration of processing

Legal basis: the data subject’s consent (GDPR Article 6(1)(a)).
Duration: until consent is withdrawn. Consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

III.3. Processing of Cookie and IP Address Data on the Controller’s Website

III.3.1. Purpose of processing and categories of data processed

With respect to the User displaying the website in their internet browser, the Controller conducts processing arising from the use of cookies.

A cookie is data sent by the visited website to the visitor’s browser (in variable name–value form) for storage, which the website can later load. Thereafter, with every HTTP(S) request, the browser sends this data to the server, thus modifying the data on the user’s device.

The Controller uses Google Analytics (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to analyze website traffic. Within this service, the Controller processes the IP address recorded during the data subject’s visit in an anonymized (masked) way, meaning the anonymization/masking of IP addresses is carried out before any storage or processing activity occurs. The anonymized data can no longer be used to identify the data subject; therefore, under the GDPR, such data are not considered personal data. The Controller uses this service to categorize users by device type, analyze browser usage, measure website traffic (visit time, session length, bounce rate). Google Analytics retains the anonymized data for 24 months. (More on Google’s privacy policy: https://www.google.hu/intl/hu/policies/privacy/ ; more on Google Analytics anonymization: https://support.google.com/analytics/answer/2763052).

The Controller places the following cookie(s)/data packages related to Google Analytics on the data subject’s device; due to IP anonymization/masking, these anonymized data can no longer identify the data subject and thus are not considered personal data under the GDPR.

Cookie name: _ga
Data accessed: collected via an anonymous identifier. Helps the website owner analyze site performance. Provides information about user numbers, page views, times and durations spent on the site, device used (mobile, desktop, tablet, display size, type of operating system), approximate geographic location at city level, and visit frequency (ratio of returning vs. new visitors).
Lifetime: 2 years
Function/purpose: distinguishes individual users (more precisely, browsers). Its value is a randomly generated number (e.g., GA1.2.255322818.1517541613). Enables long-term statistics on site visits. Included in each page request.

Cookie name: _gat
Data accessed: collected via an anonymous identifier. Helps the site owner analyze performance; provides the same type of traffic information as above.
Lifetime: 1 day
Function/purpose: according to Google, regulates request frequency—limits data collection on high-traffic websites. Included in each page request.

Cookie name: _gid
Lifetime: 1 day
Function/purpose: a cookie name associated with Google Universal Analytics. Stores and updates a unique value for each page visited.

Users can delete cookies from their own computers and can set their browsers to block the use of cookies. Learn more about cookie settings in popular browsers here:

Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
Safari: https://support.apple.com/hu-hu/HT201265

IV. Data Transfers Performed Within the Controller’s Activities

IV.1. Data Transfers Based on Requests from Authorities or Courts, and Procedures Initiated by the Controller

The Controller carries out ad hoc transfers of personal data when an authority, court, other body vested with public powers, organization or person requires the transfer from the Controller with appropriate legal reference. The Controller is also entitled to ad hoc data transfers where the Controller is the initiating party in judicial (litigious or non-litigious) or administrative proceedings, provided initiation is strictly in accordance with applicable legal provisions governing data processing. The Controller transfers only the minimum data strictly necessary to conduct such proceedings.

IV.2. Transfer of Invoice Data to the National Tax and Customs Administration

With respect to issued invoices, the Controller has a data reporting obligation to the National Tax and Customs Administration pursuant to Section 257/G and Annex 10 points 1, 4, and 6 of Act CXXVII of 2007 on Value Added Tax. Legal basis: performance of a legal obligation under GDPR Article 6(1)(c), as specified in the aforementioned national provisions.

V. Processing by Processors in Connection with the Controller’s Activities

The Controller uses the following processors under contract during its data processing activities. Transfers to the processors defined in this notice may be carried out without the data subjects’ separate consent. Processors may not make autonomous decisions and may act only in accordance with the contract with the Controller and the instructions received.

Processor details:

Google Ads
Google Ireland Limited
Web: https://ads.google.com
GDPR: https://policies.google.com/privacy?hl=hu&gl=hu

Description of processing:
The processor provides advertising management services to the Controller and stores the necessary data.

Processor details:
Meta Platforms Ireland
Web: www.facebook.com
GDPR: https://www.facebook.com/privacy/policy

Description of processing:
The processor publishes comments and posts and stores data in relation to the processing specified in Section III.3.

Processor details:
TikTok
Web: www.tiktok.com
GDPR: https://www.tiktok.com/legal/page/eea/privacy-policy/hu-HU

Description of processing:
The processor publishes videos, comments, and posts and stores data in relation to the processing specified in Section III.3.

Processor details:
Meta Platforms Ireland
Web: www.instagram.com
GDPR: https://www.instagram.com/policy.php/

Description of processing:
The processor publishes comments and posts and stores data in relation to the processing specified in Section III.3.

Processor details:
Google Analytics
Web: www.googleanalytics.com
GDPR: https://analytics.google.com/analytics/web/provision/#/provision

Description of processing:
The processor performs web analytics for the Controller and stores data generated during the operation of the website.

Processor details:
Elin.hu Kft.
Web: www.elin.hu
GDPR: https://elin.hu/dokumentumok/Adatkezelesi_tajekoztato.pdf

Description of processing:
The processor provides hosting services to the Controller and stores data related to this activity.

VI. Storage and Security of Personal Data

VI.1. Handling of Paper-Based Documents

Paper-based letters, mail, and other documents are kept in a well-secured room at the Controller’s registered office and are accessible only to the Controller. Paper documents containing personal data may be destroyed only using a shredder. The Controller is subject to professional confidentiality with respect to the data it processes.

VI.2. Handling of Personal Data Stored in IT Systems

Only the Controller and processors acting on the Controller’s instructions have access to electronically stored data. To ensure a level of security appropriate to the risk, the Controller implements the following technical and organizational measures:

• Ensuring confidentiality of access with user authentication and permission management;

• Only the Controller is authorized to log in and access the data;

• By ensuring backups, data can be restored within a maximum of 24 hours.

VII. Rights of Data Subjects

VII.1. Erasure of Personal Data; Withdrawal of Consent

The Controller must erase the processed personal data if
a) the data subject requests it or withdraws consent, unless the GDPR permits further processing;
b) the purpose of processing has ceased;
c) the data subject objects to processing based on the Controller’s legitimate interest, unless the Controller can clearly demonstrate to the data subject that the processing is lawful;
d) the Controller has processed the personal data unlawfully;
e) the processing period has expired.

The data subject may submit a request for erasure of personal data. If the Controller processes personal data based on the data subject’s consent, the data subject may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

VII.2. Right to Restriction of Processing

The Controller restricts processing if
a) the data subject contests the accuracy of the personal data, in which case restriction applies for the time needed to verify accuracy;
b) the processing is unlawful, but the data subject opposes erasure and requests restriction;
c) the purpose of processing has ceased, but the data subject requests processing for the establishment, exercise, or defense of legal claims;
d) the data subject has objected to processing.

Upon request, the data subject is entitled to have the Controller restrict processing if any of the above conditions apply.

VII.3. Right to Rectification

The data subject has the right to have inaccurate personal data concerning them rectified without undue delay upon request. Even without a separate request, the Controller must correct or amend data that it has processed inaccurately.

VII.4. Right to Object

The data subject has the right to object at any time to the processing of their personal data where processing is based on the Controller’s legitimate interests. In case of objection, the Controller may continue processing only if it demonstrates that its legitimate interests override those of the data subject.

VII.5. Right of Access

Upon request, the data subject has the right to obtain confirmation from the Controller as to whether or not personal data concerning them are being processed (“right of access”). At the data subject’s request, the Controller provides specific information about the purposes of processing, categories of data, recipients of any transfers, duration of processing, the exercise of data subject rights, filing complaints with the supervisory authority, and the source of the data. In general, the Controller must provide the data subject with complete and comprehensible information about material aspects of the processing. Upon request, the Controller provides a copy of the personal data undergoing processing.

VII.6. Submission and Handling of Data Subject Requests

Data subjects may submit requests related to the processing of their personal data orally (in person) or in writing (in person, by email, or by post) using the Controller’s contact details.
The Controller informs the data subject without undue delay and at the latest within one month of receipt of the request about the measures taken and the requested information. The Controller provides information in the manner requested by the data subject.

If the identity of the requester is in doubt, the Controller may request additional information necessary to confirm the data subject’s identity. The Controller sends its request for additional information within 5 working days following receipt of the request. As a rule, the Controller does not charge a fee for information and actions related to data subject rights, except in the exceptional case where the request is clearly unfounded or the data subject requests multiple copies of the data and fulfilling the request would entail particularly significant administrative costs.

VIII. Remedies Available to Data Subjects

VIII.1. Complaint to the National Authority for Data Protection and Freedom of Information

If the data subject believes the Controller did not satisfactorily resolve their request regarding personal data, or considers that a serious infringement has occurred in relation to the processing of their personal data, or that the Controller does not comply with the GDPR during processing, they may submit a complaint to the National Authority for Data Protection and Freedom of Information. The supervisory authority to which the complaint was submitted must inform the client about procedural developments and the outcome.

Contact details of the National Authority for Data Protection and Freedom of Information:
Registered office: 1055 Budapest, Falk Miksa utca 9–11.
Mailing address: 1374 Budapest, Pf. 603.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu

VIII.2. Right to Bring Proceedings Before a Court

In case of unlawful processing experienced by the data subject, they may bring a civil lawsuit against the Controller. The case falls under the jurisdiction of the regional court (törvényszék). At the data subject’s choice, the action may also be brought before the regional court of their place of residence.

VIII.3. Legislation Used

In preparing this notice, we took into account the following legislation:
– Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.)
– Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (in particular Section 13/A)
– Directive 2002/58/EC (12 July 2002) concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive”)
– Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (especially Section 6)
– Act C of 2003 on Electronic Communications (specifically Section 155)
– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL