Data Protection Policy
1. Details of the data controller
Name of the data controller: FitPuli Limited Liability Company
Short name: FitPuli Ltd.
Registered seat: Katód Street 6. I/3., Győr, H-9024, Hungary
Representative: Dr Dániel Oláh, managing director
Data protection registration number: NAIH-141195/2018
Tax number: 26103639-2-08
Company registration number: Cg. 08-09-029303
Webpage: www.fitpuli.hu / www.fitpuli.com
Email of the DPO: email@example.com
2.1. For FitPuli Ltd (FitPuli, the Service Provider or the Data Controller), it is of utmost importance to protect the personal data of the visitors of www.fitpuli.hu or www.fitpuli.com and the users of the Fitpuli app.
2.2. FitPuli is committed to process the personal data of the visitors and customers in accordance with applicable laws. FitPuli aims to support the secure browsing of visitors to a maximum extent. FitPuli maintains the confidentiality of its visitors’ and customers’ personal data and processes such data for the success of its business, to exercise its rights and to perform its obligations in relation to it, in accordance with applicable laws. FitPuli only processes personal data that is necessary for the above purpose. FitPuli ensures that the processed data is accurate, complete and up to date.
2.3. At the same time, FitPuli ensures the security of data. In particular, FitPuli implements protection against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data stored or otherwise processed, as well as sufficient technical and organizational measures and processes that are necessary for compliance with the applicable laws and guidelines. In addition, FitPuli implements internal policies and processes as required under the relevant laws and industry guidelines.
2.4. FitPuli provides its services through the FitPuli website and app. For the performance of its services, FitPuli processes personal data provided by its customers and other data subjects.
2.5. Certain personal data provided is also considered as health data. The relevant laws guarantee enhanced protection in respect of health data. The Data Controller reserves the right to amend this Privacy Statement unilaterally from time to time. Customers and users will be informed of the changes in due course.
2.6. This Privacy Statement sets out the principles of our policies on data processing and of our day-to-day practices as to how we request data from our visitors and customers.
2.7. In this Privacy Statement, we also set out the purposes and the means of such data as well as the way how such data is maintained and secured.
2.8. When preparing this Statement, we considered the applicable laws and the most important international guidelines, in particular, the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- Act CXII of 2011 on data protection;
- Act LXVI of 1992 on the registry of personal data and address of individuals;
- Act CXIX of 1995 on the processing of data for research and direct marketing purposes;
- Act C of 2003 on electronic communications;
- Act XX of 1996 on the means of verification;
- Act V of 2013 on the Civil Code;
- Act CLV of 1997 on consumer protection;
- Act CVIII of 2001 on electronic commerce;
- Act XLVIII of 2008 on business advertisement;
- Act XLVII of 1997 on the processing of health data.
2.9. Upon the request of our visitors and customers, we will provide detailed information regarding the scope of personal data that we process, the purpose, legal basis and term of data processing as well as any activity relating to data processing.
2.10. In respect of any change in the principles or in its practices relating to data processing, FitPuli undertakes that it will inform the visitors of www.fitpuli.hu or www.fitpuli.com and the users of the FitPuli app at least 8 days in advance so that they are aware of the data processing principles and practices relating to www.fitpuli.hu or www.fitpuli.com at all times.
2.11. FitPuli undertakes that this Privacy Statement reflects the principles and practice it applies to the processing and protection of personal data.
3. Definitions relating to personal data
3.1. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
3.2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3.3. ‘data transfer’ means making available personal data to a specific third party;
3.4. ‘cross-border processing’ means either:
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
3.5. ‘deletion of data’ means rendering data intelligible in such a manner that it is not possible to recover it;
3.6. ‘specification of data’ means using an identifier for the data in order to distinguish it;
3.7. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
3.8. ‘erasure of data’ means the complete physical destruction of a carrier of data;
3.9. ‘processing data on behalf of the controller’ means performing technical activities relating to data processing, irrespective of the method and means used as well as of the place of processing, provided that the technical activities are carried out with respect of data;
3.10. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
3.11. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
3.12. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
3.13. ‘anonymization’ means a technical process that ensures that it is no longer possible to recover the connection between the data subject and the relevant data and that the data is deprived of its personal nature;
3.14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
3.15. ‘cookie’ means a (simple text) file placed on the hard drive of the user through his browser and which makes the user clearly identifiable upon its next visit;
3.16. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
3.17. ‘direct marketing activity’ means all activities, including activities which result in providing information via direct contact and any relating services the purpose of which is to offer goods or services to the data subject, to forward advertisements or to provide information to commercial partners or to consumers in order to advance a deal (purchase);
3.18. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
3.19. ‘data subject/customer/consumer’ means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to the personal data;
3.20. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
3.21. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
3.22. ‘third country’ means any country that is not a member state of the European Economic Area;
3.23. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
3.24. ‘publish’ means making personal data available for everyone;
3.25. ‘IP address’ means a unique string of numbers separated by full stops that identifies each computer using the Internet Protocol to communicate over a network;
3.26. ‘special categories of personal data’ means data
(a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and data concerning a natural person’s sex life or sexual orientation;
(b) data concerning health or addictions, and criminal data;
3.27. ‘Hungarian Data Protection Authority (DPA)’ means the data protection authority whose legal status and competencies are governed by section 38 of the Data Protection Act;
3.28. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
3.29. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
3.30. ‘personal data’ means any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
3.31. ‘identification data’ means the individual’s first and last name, name at the date of birth, date and place of birth and mother’s name;
3.32. ‘objection’ means the data subject’s request in which he objects to the processing of his data and requests that the controller stops processing or deletes his personal data;
3.33. ‘Robinson list’ means the registry of data regarding those data subjects who prohibited or – notwithstanding the initial request of the entity carrying out direct marketing activities – did not consent to the processing of their personal data for the purposes of direct marketing;
3.34. ‘customer target list’ a list containing solely the customer’s name, address, gender, data and place of birth, his interest and marital status and used for communication and advertising purposes;
3.35. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in economic activity.
4. Rules of data processing
4.1. This Privacy Statement enters into effect as of 31 January 2018 and remains valid until its withdrawal.
4.2. The GDPR requires that personal data must be processed lawfully and fairly, and the processing must be transparent for the data subject. Accordingly, FitPuli requests the data subjects’ data only for explicit and legitimate purposes and aims to inform the data subjects about the processing of their data in a transparent manner by way of this Privacy Statement. (‘Lawfulness, fairness and transparency’)
4.3. Personal data must be collected for specific, explicit and legitimate purposes; the data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The use of personal data must be restricted to the purpose for which the data has been provided. (‘Purpose limitation’)
4.4. The scope of personal data must not exceed what is necessary for the purpose of data processing. This means that FitPuli processes personal data only to the extent it is necessary for its operations. FitPuli aims to request only that personal data that is necessary for the relevant purpose and reviews the scope of data annually, in accordance with the ‘privacy by design’ principle. (‘Data economy’)
4.5. FitPuli keeps the data accurate and, where necessary, up to date and takes every reasonable step to ensure that any inaccurate personal data is erased or rectified. FitPuli aims to call the attention of the data subjects by all means that they may request the rectification of their data. Suh right is also set out in the general terms and conditions. (‘Accuracy’)
4.6. During the storing of data, FitPuli aims to keep data for a sufficient period of time, as accurate and up to date data can help its business operations, and its compliance. FitPuli determines and reviews (if necessary) the applicable data retention periods with utmost care. (‘Storage limitation’)
4.7. Fituli processes personal data in a manner so that it can ensure the appropriate security of personal data. FitPuli monitors the data security compliance of the Company by way of a monitoring system. (‘Integrity and confidentiality’)
4.8. FitPuli aims to demonstrate its data protection compliance (e.g. by way of implementing a Privacy Statement and regular trainings for employees).
5. Background information regarding the processing of personal data
5.2. However, in certain cases, our visitors must provide and submit their personal data so that they can use the FitPuli services to a maximum extent.
5.3. Personal identification data means those data or information relating to individuals that make it possible to identify somebody, to contact somebody or to identify its physical contact details – including but not limited to the following: name, address, postal address, phone number, fax number, email.
5.4. Anonymous data is collected in a way that does not identify any person and does not relate to any person and as a result, no connection can be established with anybody is not considered as personal data.
5.5. Data provided by a third party means the personal identification data – provided on the basis of necessary consent – which relates to the person using the service (or a visitor) but which is collected by the service provider by way of a third party, in accordance with applicable laws.
5.6. As a general principle, we declare that when we request personal data from our visitors, they can decide freely after having read the relevant information on our data processing whether they decide to provide the requested data or not.
5.7. Please note that if somebody does not provide his/her data, in certain cases he/she may not be able to use the service.
5.8. FitPuli also collects special categories of data that relates to health or addictions.
5.9. This Privacy Statement relates to the data expressly provided to FitPuli and not to data which is made publicly available. If somebody decides to make any of his or her data publicly available, this Privacy Statement does not apply to such data.
5.10. We do not add any further data to or connect data from other sources to the data provided by our visitors.
5.11. We never share the data of our visitors with third parties unless there is a legal basis to do so, or only in anonym form.
If a competent authority requests the service provider to hand over data in accordance with applicable laws (in the case of the suspicion of a crime, and by way of an official request), to comply with its legal obligations FitPuli will hand over the data requested to the extent it is available.
5.12. If our visitors provide personal data to us, we will take all necessary steps to secure such data in the course of network communications (i.e. during online data processing) as well as during the storage of data (i.e. during offline data processing).
5.13. Our obligations to preserve and secure data within the FitPuli infrastructure are specified by specific principles, processes and security controls. All FitPuli personnel is responsible for compliance with such measures.
Only those personnel in relevant positions may have access to personal data – subject to high-level access control.
5.14. 5.14. Should you have any questions in relation to our security measures, please send an email to the Data Protection Officer of the company, Mr. József Oláh, to firstname.lastname@example.org.
6. Scope, purpose, legal basis and term of data processing
As a rule of thumb, the legal basis of data processing relating to the provision of the FitPuli service is the informed and voluntary consent of the data subject or on the conclusion of the contract.
In certain cases, the processing, storing and transfer of data is required by applicable laws.
While browsing at www.fitpuli.com, the server may automatically log the activities of the user.
Purpose of data processing: to monitor the operations of the service, to personalize services and to prevent abuse, the Service Provider collects visitor data while browsing the website.
Legal basis: the data subject’s consent, and section 13/A. § (3) of Act CVII of 2011 on data processing.
Scope of personal data: date, time, IP address, browser data, data of the visited webpage.
Data retention period: 30 days from the date of visiting the webpage.
FitPuli does not connect log data to other information and does not intend to identify its visitors.
The IP address is a unique string of numbers separated by full stops that identifies each computer using the Internet Protocol to communicate over a network. By way of an IP address, the geographic location of the visitor using the relevant computer may be identified. The address of the webpages visited, the date and time alone cannot identify the visitor. However, together with other data (e.g. the data provided upon registration), the IP address may make it possible to draw conclusions regarding the user.
6.2. Cookies on the www.fitpuli.com website
To provide personalized services, FitPuli stores small files (cookies) on the computer of the user and reads such files upon the return of the user to the website. When the browser sends back a cookie previously saved, the service provider may connect the visit of the user to his previous visits (but only in respect of its own sites).
Purpose of data processing: to identify users and to distinguish them from each other, to identify user sessions, and to store data on a work session basis, to prevent data loss.
Legal basis: the data subject’s consent.
Scope of personal data: individual identification number, date, time.
Data retention period: during the session.
Session cookies are stored on the user’s computer only until the browser is closed.
6.3. Electronic communications between FitPuli and Customers
The contact form on the webpage is for communication purposes. FitPuli categorizes the emails of Customers and other data subjects based on the relevant email’s content.
In respect of the data contained in emails received, FitPuli assumes that the sending party gave its informed and voluntary consent to the processing of such data by FitPuli.
FitPuli usually deletes the name and email address of the sending party together with any data provided voluntarily after five years from the date when such data was provided. However, in certain cases, the applicable law may specify a longer or shorter data retention period.
Purpose of data processing: to identify users and to distinguish them from each other, communication, helpdesk, exercising the data controller’s and the data subject’s rights, to ensure accountability.
Legal basis: Point a) of Article 6(1) of the GDPR, the data subject’ consent.
Scope of personal data: date, time, name, telephone number, address, gender, other personal data provided.
Data retention period: Until the completion of the purpose, or 5 years under section 17/B (3) of the Consumer Protection Act.
6.4. Newsletter, electronic direct marketing messages
FitPuli analyses the behaviour of its customers, visitors and users in order to show personalized (FitPuli and third party) advertisements for users via the channels provided by them and on the www.fitpuli.com website. You may subscribe to the newsletter of FitPuli via its webpage.
Purpose of data processing: email newsletters including an advertisement for visitors, showing personalized marketing messages on its own as well as on third party sites, preparing personalized offers based on user behaviour (e.g based on opens and clicks), sending offers of the data controller and third parties.
Legal basis: Point a) of Article 6(5) of the GDPR, section 13/A of the Act on electronic commerce, and section 6(5) of the Act on business advertisements.
Scope of personal data: date, time, email, name, date of birth, consent for direct marketing purposes, analytics data relating to subscribe and unsubscribe data, as well as relating to dispatches, delivery and opening of emails.
Data retention period:
- until the withdrawal of the user’s consent, but no later than
- for 5 years from the last date when the user updates his/her data.
You may withdraw your consent to receiving direct marketing messages and request the deletion or rectification of your personal data at the contact details provided under the „Contact” menu. It may take 48 hours to complete the unsubscription process.
7. Data processing relating to the provision of fitpuli services
FitPuli carries out data processing activities for the following purposes:
- Establishment of a FitPuli user account;
- Customer relations and communications;
- Tracking of health conditions as well as the maintenance and improvement of the Customer’s health conditions.
7.1. Establishment of a FitPuli user account
Purpose of data processing: establishment of a FitPuli user account so that the user can use the FitPuli app and services.
Legal basis: Point a) of Article 6(1) of the GDPR, i.e. the data subject’s consent as well as points a) and c) of section 4(1) and point b) and c) of section 4(2) of the Act on health data.
Scope of personal data: the Customer’s (1) email; (2) last name; (3) first name; (4) gender; (5) date of birth; (6) postal code of workplace; (7) city of workplace; (8) street of workplace; (9) address of workplace; (10) operational system of the Customer’s phone (iOS, Android); as well as (1) name; (2) gender; (3) date of birth; (4) place of work; (5) type of work; (6) height; (7) weight.
Source of personal data: data provided by the Customer or by his/her employer upon the Customer’s consent.
Data retention period: the lifecycle of the FitPuli user account.
Data transfer: the data controller does not transfer personal data to any third party.
7.2. Tracking of health conditions as well as the maintenance and improvement of the Customer’s health conditions
Purpose of data processing: establishment of a FitPuli user account so that the user can use the FitPuli app and services.
Legal basis: points a) and b) of Article 6(1) of the GDPR, i.e. the data processing is carried out on the basis of the Customer’s consent and it is necessary for a performance of a contract to which the data subject is a party; as well as points a) and c) of section 4(1) and point b) and c) of section 4(2) of the Act on health data.
Scope of personal data: free time activity, its term, steps taken, floors, active minutes, mood, asleep period, quality of sleep, blood pressure, pulse, blood sugar, quality of vision, quality of hearing, blood test results, home address, smoking habit, coffee- and alcohol consumption, diet, medical history, medical history in the family, medication used on a regular basis, sensitivity to medication or other allergy.
Source of data: data provided by the Customer during the use of the FitPuli service.
Data retention period: during the term of the service agreement.
Data transfer: Any data is transferred only in anonymous form to the Customer’s employer/to the person paying the fees on behalf of the Customer, in cases where the customer uses the services via his/her employer, insurer or any other third party in a way that the subscription fees are not covered (fully) by the data subject.
8. Data processors
Firebase (Google LLC) registered seat: 1600 Mountain View, Amphiteathre Parkway, California, USA. According to the data processor, the data processor complies with the provisions of the GDPR.
9. Sharing data with independent third parties
We may share your data also with third parties.
In certain cases, the third-party with whom we share your personal data may determine the purpose and means of the processing of your data. As a result, this third party will be responsible for compliance with the principles of data processing and this Privacy Statement.
For example, we may share your data with the following third parties:
- Criminal authorities if we are required to cooperate for such purposes.
9.1. How do we protect your personal data?
We ensure the security of your personal data by way of the following measures. FitPuli engages the cloud storage services of Google LLC called Firebase, which is in full compliance with the GDPR.
The provider protects the personal data stored with sufficient security measures (including technical and organizational measures). The technical measures include the security measures of the server, such as firewalls and other security protocols. The administrative measures include password protection of access, the review of access rights from time to time, and the requirement to change passwords every 90 days. Such control mechanisms also include, among others, the monitoring of any access to data and to the storage infrastructure, as well as entering into agreements with third parties requiring compliance with the applicable data protection laws. We pay attention to implement sufficient measures to protect data when designing our services.
9.2. How long do we process your data?
As already set out in connection with the data protection principles relating to third parties, we process your personal data solely for lawful purposes and only as long as it is necessary for such purposes. If we no longer need your personal data, we will erase such data in a secure way. However, for the provision of our services, we need data that is up to date. Accordingly, following the data retention period specified above, we will update and clean the data stored with us and delete any inactive data. The deletion of data is carried out by FitPuli employees and it is logged by our system.
9.3. Your rights
It is important for us that you are aware of your rights provided under data protection laws. For this purpose, we set out below your rights relating to the personal data provided to us. (Please note that the list might not be complete.)
9.3.1. Right to withdraw consent: If you gave your consent to the use or processing of your data, you may withdraw your consent at any time provided that the relevant data is not necessary for the provision of the service.
9.3.2. Right to access data: By contacting us you may request information anytime on whether we are processing your data or not. If yes, you are also entitled to get access to the personal data stored by us and to request a copy of them. In addition, you may request information about how we process your personal data.
9.3.3. When providing information, we will provide you with the following data:
- the purpose of data processing,
- scope of relevant personal data,
- addressees of data transfers,
- data retention period.
You may ask for the rectification, deletion, restriction of your data and you may object to the processing of your personal data.
You may submit a complaint to the supervisory authority (www.naih.hu).
If we received the data from a third party you are entitled to request information about this.
9.3.4. Right to rectification: You may request FitPuli to rectify any inaccurate data or add missing data without undue delay.
9.3.5. Right to erasure:
You may request that we delete certain personal data stored with us without undue delay if:
- We no longer need the relevant personal data;
- You withdraw your consent relating to the processing of the relevant personal data;
- You object to the processing of your personal data;
- the relevant personal data must be deleted in order to comply with a legal obligation;
- You are concerned about the legal basis of our data processing.
9.3.6. Right to restriction of processing: If you contest the accuracy, justification or lawfulness of our data processing, you may request the restriction of certain processing activities.
You may also request the restriction of processing if we no longer need the personal data for the purposes of the processing, but we are required by you for the establishment, exercise or defense of legal claims. In addition, you may request the restriction of processing if you doubt the legitimate ground of data processing.
During the restriction, no data processing activities may be carried out, with the exception of storage. Regarding the termination of the restriction, you will be informed by FitPuli in advance.
9.4. Complaint, recourse:
Hungarian Data Protection Authority (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság)
Registered seat: Szilágyi Erzsébet fasor 22/C., Budapest, H-1125, Hungary
Address: Pf. 5., Budapest, H-15340, Hungary
Telephone number: +36-1-391-1400
Fax number: +36-1-391-1410
9.5. Judicial proceedings
It is the data controller to prove that data processing is carried out in compliance with applicable laws. The lawfulness of the data transfer must be proved by the transferee. Any disputes are within the competence of the regional court (törvényszék in Hungarian). Upon the choice of the data subject, the claim may be submitted to the regional court competent in respect of the registered address or his/her temporary place of residence.
Even an incapacitated person may be a party to the case. The DPA may join the case as a party supporting the data subject.
If the court upholds the data subject’s claim, then the court may order the data controller to provide information, rectify data, restrict access to the data, delete the data, to erase the conclusions resulting from automatic decision-making process, to comply with the objection of the data subject or to provide the data requested by the transferee.
If the court rejects the transferees claim, then the data controller must delete the relevant personal data within 3 days. The data controller is also required to delete the relevant data where the transferee does not file a claim with the court in due course. The court may order that its judgement must be published if it considers it to be necessary with respect to the interest of data protection and the rights of the data subjects.
The data controller is liable for any damages resulting from the unlawful processing of the data subject’s personal data or the violation of data security.
If the data controller violates the personal rights of the data subject by unlawful data processing or by violating data security, the data controller must pay compensation for personal damages (sérelemdíj in Hungarian).
In relation to the data subject, the data controller is liable for damages caused by the data processor. The data controller must also cover any compensation for personal damages (sérelemdíj in Hungarian) in respect of the data subject.
The data controller is exempt from any such liability if it proves that the damage or the violation of the data subject’s personal rights results from an unavertable circumstance outside of the scope of data processing.
No damages or compensation for personal damages may be claimed where the damage results from the data subject’s intentional or grossly negligent behaviour.