Harmonymed.hu Privacy Policy
Deák Dávid Sole Proprietor
Privacy Policy
Introduction
The present Privacy Policy applies to the data processing activities of Deák Dávid Sole Proprietor (registered office: 2134 Sződ, Tabán utca 60., tax number: 69676413-1-33, company registration / registration number: 53524812 [REGISTRATION NUMBER]) (hereinafter referred to as: Service Provider, Data Controller), in accordance with the provisions set out below.
Pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information.
This Privacy Policy governs the data processing of the following website(s)/mobile application(s): https://harmonymed.hu/
The Privacy Policy is available at the following page: https://harmonymed.hu/adatkezelesi-tajekoztato
Any amendments to this Privacy Policy shall enter into force upon publication at the above address.
Data Controller and contact details
Name: Deák Dávid Sole Proprietor
Registered office: 2134 Sződ, Tabán utca 60.
E-mail: info@harmonymed.hu
Phone: 0620/320 22 90
Definitions
“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;
“consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Principles relating to the processing of personal data
Personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes (“purpose limitation”);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
The controller shall be responsible for, and be able to demonstrate compliance with, the above principles (“accountability”).
The controller declares that its data processing activities are carried out in accordance with the principles set out in this section.
Contact
Facts of data collection, scope of processed data and purpose of data processing:
Personal data
Purpose of data processing
Legal basis
Name
Identification
Article 6(1)(a) GDPR
E-mail address
Contacting and sending responses
Phone number
Contacting
Content of the message, if it contains personal data
Necessary for responding
It is not necessary for the e-mail address to contain personal data.
2. Data subjects concerned: All data subjects who send a message through the contact form.
3. Duration of processing, deadline for deletion of data: The controller processes the personal data until the purpose of data processing is fulfilled, but for a maximum of 2 years. If any of the conditions set out in Article 17(1) GDPR apply, data processing shall continue until the data subject’s request for deletion.
4. Description of the rights of data subjects regarding data processing:
The data subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and
the data subject has the right to data portability and to withdraw consent at any time.
5. The data subject may initiate access to, deletion, modification or restriction of processing of personal data, as well as data portability, in the following ways:
by post to 2134 Sződ, Tabán utca 60.,
by e-mail to info@harmonymed.hu,
by phone at 0620/320 22 90.
6. Legal basis for data processing: the data subject’s consent, pursuant to Article 6(1)(a) GDPR. If you contact us, you consent to the processing of your personal data (name, phone number, e-mail address) received during the contact process in accordance with this Policy.
7. Please note that
this data processing is based on your consent and is also necessary for providing an offer;
you are required to provide personal data in order to contact us;
failure to provide the data will result in your inability to contact the controller;
withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Use of Google Ads conversion tracking
The controller uses the online advertising program called “Google Ads” and, within its framework, uses Google’s conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
When the User reaches a website via a Google advertisement, a cookie necessary for conversion tracking is placed on the User’s computer. These cookies have limited validity and do not contain any personal data, therefore the User cannot be identified by them.
When the User browses certain pages of the website and the cookie has not yet expired, Google and the controller can see that the User clicked on the advertisement.
Each Google Ads customer receives a different cookie, so they cannot be tracked across the websites of Ads customers.
The information obtained by means of conversion tracking cookies is used to generate conversion statistics for customers who choose Ads conversion tracking. This allows customers to learn the number of users who clicked on their advertisement and were forwarded to a page equipped with a conversion tracking tag. However, they do not receive information that would allow them to identify any user.
If you do not wish to participate in conversion tracking, you may refuse this by disabling the installation of cookies in your browser. After that, you will not appear in the conversion tracking statistics.
Based on Google Consent Mode v2, Google also uses two new cookie types: ad_user_data and ad_personalization, which are based on the data subject’s consent and concern the use and sharing of data. ad_user_data is used to grant consent for sending user data to Google for advertising purposes. ad_personalization determines whether data may be used for ad personalization (e.g. remarketing). The controller ensures that appropriate consents are obtained and may be withdrawn through its cookie banner/panel. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Further information and Google’s privacy notice are available at: https://policies.google.com/privacy
Use of Google Analytics
This website uses Google Analytics, a web analytics service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are stored on your computer and help analyse how Users use the website.
The information generated by the cookie about the User’s use of the website is generally transmitted to and stored by Google on a server in the USA. If IP anonymisation is activated on the website, Google will shorten the User’s IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area beforehand.
Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate the User’s use of the website, compile reports on website activity for the website operator and provide other services relating to website activity and internet usage.
Within the framework of Google Analytics, the IP address transmitted by the User’s browser will not be merged with other data held by Google. The User may prevent the storage of cookies by selecting the appropriate settings in their browser, however please note that in this case you may not be able to use all functions of this website in full. You may also prevent Google from collecting and processing data generated by cookies related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu
Management of cookies
1. The use of so-called “password-protected session cookies”, “shopping cart cookies”, “security cookies”, “strictly necessary cookies”, “functional cookies” and “cookies responsible for website statistics” does not require prior consent from data subjects.
2. Facts of data processing, scope of processed data: Unique identification number, dates, times.
3. Data subjects concerned: All data subjects visiting the website.
4. Purpose of data processing: Identification of users, tracking of visitors, ensuring customised operation.
5. Duration of data processing, deadline for deletion:
Type of cookie
Legal basis of data processing
Duration of data processing
Session cookies or other cookies strictly necessary for the operation of the website
No personal data processing takes place through the use of these cookies.
They remain on the computer only until the end of the relevant visitor session, i.e. until the browser is closed.
Statistical and marketing cookies
Article 6(1)(a) GDPR
1 day to 2 years, in accordance with the cookie notice, or until the data subject withdraws consent.
6. Description of the rights of data subjects regarding data processing: Data subjects have the possibility to delete cookies in the Tools/Settings menu of browsers, usually under the Privacy settings.
7. Most browsers used by our users allow the user to define which cookies may be stored and allow certain cookies to be deleted again. If you restrict the saving of cookies on certain websites or do not allow third-party cookies, this may in certain circumstances result in our website no longer being fully usable. Here you can find information on how to customise cookie settings in common browsers:
Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)
Microsoft Edge (https://support.microsoft.com/…)
Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)
Safari (https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)
Processors used
Hosting provider
1. Activity performed by the processor: Hosting service
2. Name and contact details of the processor:
Rackforest Zrt.
1132 Budapest, Viktor Hugo utca 11. 5th floor
Phone: 06 1 211 0044
E-mail: info@rackforest.hu
3. Facts of data processing, scope of processed data: All personal data provided by the data subject.
4. Data subjects concerned: All data subjects using the website/mobile application.
5. Purpose of data processing: Making the website/mobile application available and ensuring its proper operation.
6. Duration of data processing, deadline for deletion of data: Until the termination of the agreement between the controller and the hosting provider, or until the data subject’s request for deletion addressed to the hosting provider.
7. Legal basis for data processing by the processor: Article 6(1)(c) and (f) GDPR, as well as Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services. Legitimate interest: proper operation of the website, protection against attacks and fraud.
Other processors (if any)
Social media platforms
The controller is also present on social media platforms in order to present its services and maintain contact with interested parties and clients.
Scope of processed data: Publicly available data on the data subject’s social media profile, in particular:
– name (username)
– public profile picture
– content published by the data subject and interactions related to the controller’s page (e.g. comments, messages).
Data subjects concerned: Natural persons who follow the controller’s social media page, interact with it, or send a message through it.
Purpose of data processing:
– presenting the controller’s activities and services,
– marketing and communication on social media platforms,
– maintaining contact with interested parties and clients.
Legal basis for data processing: The voluntary consent of the data subject to the processing of their personal data on social media platforms.
Duration of data processing: Processing lasts until the existence of the data subject’s interaction, or until the content published by the data subject is deleted. The controller stores messages and communication for a maximum of 2 years.
Further controllers: Social media platforms process user data as independent controllers according to their own privacy policies.
Facebook / Meta joint controllership
The controller has a Facebook / Meta profile for this activity. Statistical data processing on Facebook is carried out as joint controllership between the controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Detailed information on the joint controllership agreement is provided in the Facebook Page Insights Controller Addendum, available at the following link: https://www.facebook.com/legal/terms/page_controller_addendum
The controller communicates via private message on the social media page only if you contact us there.
1. Categories of data subjects
the data subject who is registered on the social media platform and has “liked” the controller’s profile page,
the data subject who contacts the controller via private message on the social media platform.
2. Purpose of data processing
The purpose of data processing on the Facebook social media page is to share and promote the controller’s activities and services. Personal data provided by the data subject in a private message may be used by the controller to respond to the message; otherwise, the controller does not collect data through social media platforms and does not extract data from them.
3. Legal basis of data processing
Data processing is based on Article 6(1)(a) GDPR, i.e. the data subject’s consent to the processing of their personal data on the Facebook social media page.
4. Scope of processed data
registered name of the data subject,
public profile picture of the data subject,
other public data provided or shared by the data subject on the social media platform.
5. Source of personal data: The source of processed data is the data subject.
6. Withdrawal of consent: You may withdraw your consent to data processing at any time, and you may delete your post or comment. Data processing takes place through social media platforms operated by third parties. If you withdraw your consent, the controller will delete the conversation held with you. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The data subject may initiate access to, deletion, modification or restriction of processing of personal data, as well as data portability, in the following ways:
by post to 2134 Sződ, Tabán utca 60.,
by e-mail to info@harmonymed.hu,
by phone at 0620/320 22 90.
7. Duration of data processing
until the withdrawal of the data subject’s consent,
in the case of message exchange, 2 years.
8. Transfer of personal data, recipients, categories of recipients: For the definition of recipient see Article 4(9) GDPR. The controller transfers the data subject’s personal data to public bodies or authorities – including in particular courts, prosecution authorities, investigating authorities, petty offence authorities and the Hungarian National Authority for Data Protection and Freedom of Information – only in exceptional cases and where required by law.
9. Possible consequences of failure to provide data
If data is not provided, the data subject will not be able to obtain information about the controller’s activities and services through the Facebook social media page, nor send a message to the controller via Facebook Messenger.
10. Automated decision-making (including profiling): No automated decision-making, including profiling, takes place during data processing.
11. Joint controller agreement with Facebook Ireland Ltd.:
The Page Insights function displays aggregated data which helps understand how data subjects use the Facebook page. Facebook Ireland Limited (“Facebook Ireland”) and the controller are joint controllers with regard to the processing of analytics data. The Page Insights Addendum defines Facebook’s responsibilities and the controller’s responsibilities regarding the processing of analytics data. Facebook Ireland undertakes primary responsibility under the GDPR for the processing of analytics data and for compliance with all applicable obligations under the GDPR in connection with such processing. Facebook Ireland also makes the essence of the Page Insights Addendum available to all data subjects. The controller ensures that it has an appropriate legal basis under the GDPR for the processing of analytics data, identifies the page controller and complies with all other applicable legal obligations. Facebook Ireland bears sole responsibility for the processing of personal data in connection with the Page Insights function, except for data covered by the scope of the Page Insights Addendum. The Page Insights Addendum does not grant the controller the right to request personal data of Facebook users processed by Facebook Ireland in connection with Facebook, including Page Insights data. The controller may not act on behalf of Facebook Ireland or respond on its behalf in relation to data protection requests.
Customer relationships and other data processing
If, during the use of the controller’s services, a question arises or the data subject has a problem, the data subject may contact the controller through the channels provided on the website (phone, e-mail, social media pages, etc.).
The controller deletes incoming e-mails, messages and data provided by phone, Meta, etc., together with the name and e-mail address of the interested party and any other voluntarily provided personal data, no later than 2 years after the communication.
We provide information on data processing activities not listed in this notice at the time the data is collected.
In exceptional cases, upon request by authorities, or based on legal authorisation, the Service Provider is obliged to provide information, disclose or transfer data, or make documents available.
In such cases, the Service Provider shall provide the requesting party with personal data only to the extent and in the scope indispensable for achieving the purpose of the request, provided that the request specified the exact purpose and scope of the data.
Rights of data subjects
1. Right of access
You have the right to obtain confirmation from the controller as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the information listed in the Regulation.
2. Right to rectification
You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to erasure
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data concerning you without undue delay where certain conditions apply.
4. Right to be forgotten
Where the controller has made the personal data public and is obliged to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you have requested the erasure of any links to, or copy or replication of, that personal data.
5. Right to restriction of processing
You have the right to obtain from the controller restriction of processing where one of the following applies:
you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
you have objected to processing; in this case the restriction applies for the period during which it is verified whether the legitimate grounds of the controller override your legitimate grounds.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (…)
7. Right to object
Where processing is based on legitimate interests or the exercise of official authority, you have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you (…), including profiling based on those provisions.
8. Objection to direct marketing
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, including profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
9. Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The previous paragraph shall not apply if the decision:
is necessary for entering into, or performance of, a contract between you and the controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.
Time limit for taking action
The controller shall provide information on action taken on the above requests without undue delay and in any event within 1 month of receipt of the request.
If necessary, that period may be extended by 2 further months. The controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.
If the controller does not take action on your request, the controller shall inform you without delay and at the latest within 1 month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Security of processing
The controller and the processor shall implement appropriate technical and organisational measures, taking into account the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The data must be stored in such a way that unauthorised persons cannot access them. In the case of paper-based media, this shall be ensured by establishing rules for physical storage and archiving; in the case of electronically processed data, by applying a central access management system.
The method of IT storage of data must be chosen so that deletion can be carried out when the retention period expires – also taking into account any different deletion deadlines – or where otherwise necessary. Deletion must be irreversible.
Paper-based media must be stripped of personal data using a shredder or with the help of an external organisation specialised in document destruction. In the case of electronic data carriers, physical destruction must be ensured in accordance with the rules governing the disposal of electronic data carriers and, where necessary, by prior secure and irreversible deletion of the data.
The controller implements the following specific data security measures:
To ensure the security of personal data processed on paper, the Service Provider applies the following measures (physical protection):
Documents are stored in a secure, dry and lockable room.
If paper-based personal data are digitised, the rules applicable to digitally stored documents shall apply.
During work, an employee carrying out data processing may only leave the room where processing is taking place if the media entrusted to them are locked away or the room itself is locked.
Personal data may only be accessed by authorised persons, and no third party may have access to them.
The Service Provider’s building and premises are equipped with fire protection and property protection devices.
IT protection
The computers and mobile devices (other data carriers) used during data processing are the property of the Service Provider.
The computer system used by the Service Provider containing personal data is protected by antivirus software.
In order to ensure the security of digitally stored data, the Service Provider uses backups and archiving.
Only persons with appropriate authorisation and specifically designated individuals may access the central server.
Data on computers can only be accessed with a username and password.
Information to the data subject about a personal data breach
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data subject need not be informed if any of the following conditions are met:
the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular measures such as encryption, rendering the personal data unintelligible to any person who is not authorised to access it;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the breach resulting in a high risk, may require it to do so.
Notification of a personal data breach to the authority
The controller shall notify the personal data breach to the supervisory authority competent under Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.
Review in case of mandatory processing
If the duration of mandatory data processing, or the necessity of its periodic review, is not determined by law, municipal decree or a binding legal act of the European Union, the controller shall review, at least every three years from the start of processing, whether the processing of personal data carried out by the controller, or by a processor acting on its behalf or under its instructions, is necessary for the achievement of the purpose of processing.
The controller shall document the circumstances and result of this review, retain such documentation for ten years after the review and make it available to the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon request.
Right to lodge a complaint
In case of any infringement related to data processing, a complaint may be lodged with the Hungarian National Authority for Data Protection and Freedom of Information:
Hungarian National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Closing remarks
In preparing this notice, we took into account the following legislation and recommendations:
Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Act CVIII of 2001 on certain issues of electronic commerce services and information society services (especially Section 13/A);
Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;
Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (especially Section 6);
Act XC of 2005 on electronic freedom of information;
Act C of 2003 on electronic communications (especially Section 155);
Opinion No. 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising;
Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information.