Data Processing Notice
Regarding the use of GermanAnywhere’s language teaching services and interpretation services.
Effective as of: April 1, 2025
Introduction
This data processing notice aims to inform you as thoroughly as possible about the processing of your personal data, the method, purpose, and duration of processing. Personal data will be processed in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and the Council, dated April 27, 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC, hereinafter referred to as the General Data Protection Regulation or GDPR).
Part I: Data Controller, Key Concepts, and Data Processing Principles
If you have any questions, complaints, or issues related to data protection or wish to exercise your rights as described below in this notice, please contact us via the above contact details.
In light of the above, the Data Controller specifically adheres to the following data processing principles:
Lawfulness, Fairness, and Transparency Principle: The Data Controller processes personal data lawfully and fairly, in a transparent manner for the data subject.
Purpose Limitation Principle: The Data Controller collects personal data only for specified, legitimate, and clear purposes, and processes the collected personal data in a manner compatible with these purposes.
Data Minimization Principle: The Data Controller ensures that the data processing is adequate, relevant, and limited to what is necessary for the purpose of processing, and does not collect or store more data than is absolutely necessary to achieve the purpose of the processing.
Accuracy Principle: The Data Controller ensures that personal data is accurate and kept up to date. The Data Controller takes all reasonable measures to ensure that inaccurate personal data is erased or rectified without delay.
Storage Limitation Principle: The Data Controller stores personal data in a form that permits identification of data subjects only for as long as necessary to fulfill the purposes of processing, and in accordance with the storage obligations defined by the applicable legal regulations.
Integrity and Confidentiality Principle: The Data Controller ensures the security of personal data through appropriate technical or organizational measures to protect it against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability Principle: The Data Controller is responsible for ensuring compliance with the aforementioned principles and is able to demonstrate this compliance. Accordingly, the Data Controller ensures continuous implementation of this data processing notice and relevant internal policies, regular reviews of data processing, and the modification or supplementation of data processing procedures as necessary.
II. Section: Data Processing Processes
In this section, we will present the detailed data processing processes carried out by the Data Controller in relation to its language teaching and interpreting activities, as well as those connected to it, according to the specific data processing purposes. In addition to the processed data, any personal data voluntarily provided by the data subject will be immediately deleted.
1. Customer Service Data Processing
Purpose of Data Processing: The purpose of this data processing is to manage customer service inquiries sent via email to the Data Controller, answer questions, and maintain communication. The Data Controller uses the data provided by the data subject solely for the purpose of responding to the inquiry. This section applies to emails sent to the Data Controller as well as emails sent via the “Contact” section on the following websites: https://germananywhere.hu, https://germananywhere.de, and https://germananywhere.com.
Legal Basis for Data Processing: Consent of the data subject in accordance with Article 6(1)(a) of the GDPR, which is provided by the data subject when submitting the inquiry and the data contained in it.
Data Subjects: Individuals who submit customer service inquiries.
Processed Data:
Data Retention Period: The personal data processed in this context will be retained until the data subject withdraws their consent, but no longer than one year from the substantive closure of the customer service inquiry.
Recipients: No data will be transferred to third parties or data processors engaged by the Data Controller.
Data Subject Rights Related to Data Processing:
2. Data Processing Related to Course or Webinar Registration
Purpose of Data Processing: The purpose of this data processing is to provide specific course offers to applicants. The data provided by the applicant is essential for identification, contact, and the preparation of training contracts.
Legal Basis for Data Processing: The legitimate interest of the Data Controller according to Article 6(1)(f) of the GDPR.
Data Subjects: Individuals applying for a course.
Processed Data for Courses Under the Scope of the Act on Adult Education (Fktv):
Processed Data for Courses Not Under the Scope of the Act on Adult Education (Fktv):
Data Retention Period: The personal data processed in this context will be retained until the training contract is concluded or until the application is withdrawn.
Recipients: The registration is done via Google Forms, in which case Google acts as a separate data controller.
The Google Privacy Policy and General Terms and Conditions can be found here: Google Privacy Policy.
Data Subject Rights Related to Data Processing:
3. Conclusion of the Training Contract and the Use of the Hungarian Adult Education Data Service System (FAR)
Purpose of Data Processing: The purpose of this data processing is to fulfill the data provision obligations imposed by law and to carry out the training process.
Legal Basis for Data Processing: The fulfillment of a legal obligation under Article 6(1)(c) of the GDPR, in accordance with Section 15(1)(b) and Section 21 of Act LXXVII of 2013 on Adult Education (hereinafter: Fktv.).
Data Subjects: Natural persons who enter into a training contract with the Data Controller.
Processed Data:
For applicants:
Data Retention Period: The personal data processed in this context will be retained for eight years from the conclusion of the training contract, in accordance with Section 21(5) of the Fktv.
Recipients:
Data Subject Rights Related to Data Processing:
4. Data Processing Related to Invoicing
Purpose of Data Processing: Issuance of invoices.
Legal Basis for Data Processing: Data processing is necessary for the performance of a contract to which the data subject is a party, based on Article 6(1)(b) of the GDPR.
Data Subjects: Natural persons who enter into a training contract with the Data Controller and are subject to invoicing based on the contract.
Processed Data: Name, address.
Data Retention Period: In accordance with Section 169(1) of Act C of 2000 on Accounting, the data will be retained for eight years from the issuance of the invoice.
Recipients:
Data Subject Rights Related to Data Processing:
Purpose of data processing:
Recording customer complaints, managing complaints related to service activities.
Legal basis for data processing:
Based on Article 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation to which the data controller is subject, in accordance with Section 17/A (5) of Act CLV of 1997 on Consumer Protection.
Data subjects:
Complaining consumers.
Processed data:
Storage period:
According to Section 17/A (7) of the Act CLV of 1997 on Consumer Protection, the data will be stored for 5 years from the date of the complaint report.
Recipient:
No data is transferred to third parties or data processors.
Rights related to data processing for the data subject:
A) Zoom:
Purpose of data processing:
The recordings of the lessons are available for subscribers to review and deepen the material discussed during the course via a unique password generated for this purpose.
Legal basis for data processing:
According to Article 6(1)(b) of the GDPR, data processing is necessary for the performance of a contract to which the data subject is a party.
Data subjects:
Natural persons participating in the course.
Processed data:
Storage period:
Recipient:
The recordings are made and stored via the Zoom system, and Zoom qualifies as an independent data controller.
Zoom-related data processing documents:
Rights related to data processing for the data subject:
B) Google Meets:
Purpose of data processing:
The recordings of the lessons are available for subscribers to review and deepen the material discussed during the course via a unique password generated for this purpose.
Legal basis for data processing:
According to Article 6(1)(b) of the GDPR, data processing is necessary for the performance of a contract to which the data subject is a party.
Data subjects:
Natural persons participating in the course.
Processed data:
Storage period:
Recipient:
The recordings are made and stored via the Google Drive system, and Google qualifies as an independent data controller.
Google-related data processing documents:
Rights related to data processing for the data subject:
7. Website-related traffic data processing (Google Analytics, Google Search Console)
Purpose of data processing:
The data controller installs small data files (cookies) on the user’s computer when using the website. These files cannot be directly linked to the user and are used for the following purposes:
Legal basis for data processing: Your prior, voluntary consent.
Affected parties: Website visitors
Types of processed data: Identification number, date, time
Data retention period: Until the withdrawal of your consent.
Please note that the withdrawal of consent does not affect the legality of the data processing carried out based on your consent prior to its withdrawal.
Further information about cookies (their exact names and functions) is available at the following links:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
https://policies.google.com/?hl=hu
The Google Privacy Notice is available at the following link:
https://support.google.com/analytics/answer/9019185?hl=hu#zippy=%2Ca-cikk-tartalma
Rights related to data processing for the affected party:
Limiting the operation of Google Analytics:
If you do not want to allow the use of cookies by Google Analytics, you can limit the data processing with the settings available at the following link:
https://policies.google.com/technologies/cookies
Google Analytics – additional information:
Information created through cookies related to the website used by the user is typically transferred and stored on one of Google’s servers in the USA.
By activating IP anonymization on the website, Google shortens the user’s IP address within the European Union member states or other countries that are part of the European Economic Area agreement.
In exceptional cases, the full IP address will only be transferred to and shortened on Google’s server in the USA. On behalf of the website operator, Google will use this information to evaluate how the user has used the website and to prepare reports related to website activity, as well as to provide additional services related to the use of the website and the internet.
Within the framework of Google Analytics, the IP address transmitted by the user’s browser is not merged with other data held by Google. The user can prevent the storage of cookies by adjusting their browser settings, but please note that in such a case, not all features of this website may function fully.
7. Social Media – Facebook
The data controller operates a Facebook profile at https://www.facebook.com/germananywhere. The Facebook privacy policy is available from here.
7.1 Purpose of data processing:
To share, like, follow, or promote certain content elements, products, or the website itself (https://germananywhere.hu, https://germananywhere.de, https://germananywhere.com) on social media platforms.
7.2 Legal basis for data processing:
Section 5(1)(a) of the Info Act, as well as Article 6(1)(a) of the European Parliament and Council Regulation 2016/679, “the data subject has given consent to the processing of their personal data for one or more specific purposes.”
7.3 Processed personal data:
The registered name on the Facebook social network and the user’s public profile picture.
7.4 Affected parties:
Any individual who is registered on Facebook, the social network, and has “liked” the website or shared a post about it.
7.5 Data retention period:
For the source of the data, how it is processed, how it is transferred, and the legal basis for processing, the affected party can consult the specific social media site.
Since data processing takes place on the social media platforms, the duration, method of data processing, and the rights to delete or modify the data are governed by the regulations of the respective social media platforms.
8. Student Reviews on the Website
Opinions related to the service are displayed on the website. In order to distinguish these entries from each other, the name and profile picture provided by the reviewer will be displayed alongside the post.
8.1 Purpose of data processing:
To differentiate between the reviews, and in some cases, with the name and profile picture provided by the reviewer.
8.2 Legal basis for data processing:
The consent of the person writing the review.
8.3 Types of personal data processed:
The name of the reviewer, their image, the text they wrote, and, if applicable, additional images they created.
8.4 Affected parties:
Individuals who write reviews and consent to their publication.
8.5 Data retention period:
The data will be retained until the affected party withdraws their consent, but no later than the termination of GermanAnywhere.
9. Data Processing related to Facebook Remarketing
The data controller operates a Facebook profile at https://www.facebook.com/germananywhere. The Facebook privacy policy is available here.
The data controller uses the Facebook Pixel service, which helps the data controller display personalized ads on Facebook.
9.1 Purpose of data processing:
To display personalized advertisements on the social media platform.
9.2 Legal basis for data processing:
The prior, voluntary consent of website visitors.
9.3 Types of personal data processed:
Visitor’s IP address, as well as the time, duration of the visit, browser type, operating system, type of device used, and screen resolution.
Additionally, HTTP headers, pixel ID, and data on clicks on cookies and buttons.
When the Facebook website is opened, the Facebook Pixel embeds a cookie directly on the user’s device. If the user later logs into Facebook or visits Facebook pages, their visit to our website will be recorded. The data obtained is completely anonymous to us, meaning no one can be identified based on this information. The data is stored and processed by Facebook and can be linked to the user profile. Facebook processes the data according to its own privacy policy. More information on the pixel’s functionality and Facebook ads can be found in Facebook’s privacy policy: https://www.facebook.com/policy.php.
9.4 Affected parties:
Website visitors.
9.5 Data retention period:
180 days or until the data processing is withdrawn.
Further information on Facebook Pixel: https://boommarketing.hu/facebook/facebook-pixel/
III. Section: Data Security
1. Storage of Personal Data and Security of Data Processing
The data controller selects and uses IT tools and solutions, especially security systems, to ensure that personal data is accessible only to authorized persons, its authenticity and authentication are ensured, its integrity is verifiable, and it is protected against unauthorized access.
The personal data is protected by the data controller with appropriate measures, particularly against unauthorized access, alteration, privacy incidents, data theft, data leakage, transmission, disclosure, deletion, or destruction, as well as accidental destruction and damage, and against the inaccessibility arising from changes in the applied techniques.
The data controller, considering the current level of technical development, ensures the security and protection of its data processing with technical, organizational, and procedural measures that provide an appropriate level of protection for personal data.
The data controller ensures the confidentiality of the personal data during processing, ensuring that only authorized individuals have access to it (confidentiality), the accuracy and completeness of the personal data and processing method (integrity), and ensures that when an authorized data subject needs personal data, it is available (availability).
Personal data is transmitted via the internet to third parties (Pest County Government Office, Educational Authority, National Tax and Customs Administration). The security of the data transmitted via the internet and electronic messages is vulnerable to network risks, regardless of the protocol used (e.g., e-mail, web, ftp, etc.), which may involve dishonest activities, disputes, or the disclosure or modification of information. To mitigate such risks, the data controller takes all necessary security measures.
2. Data Protection Incidents and their Management
According to GDPR, a data protection incident is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to transmitted, stored, or otherwise processed personal data. Therefore, any event or situation where the personal data of the data subject may fall into unauthorized hands is considered a data protection incident.
In case of a data protection incident, the data controller will report the incident to the competent supervisory authority without undue delay and at the latest within 72 hours after the data controller becomes aware of it, and will inform the affected party if the data protection incident is likely to result in a risk to the rights and freedoms of natural persons.
IV. Section: Legal Enforcement
1. Complaints, Legal Enforcement Opportunities
If the data subject believes their personal data has been handled unlawfully, they may submit a complaint to the data controller, which will investigate the complaint within 30 days of receiving it. Please send your complaint to one of the contact details listed in Section I, Point 1.
Alternatively, the data subject can file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) as the supervisory authority at the following contact details:
Headquarters: 1055 Budapest, Falk Miksa Street 9-11.
Postal address: 1363 Budapest, P.O. Box 9.
E-mail address: ugyfelszolgalat@naih.hu
Online service available at: https://www.naih.hu/online-ugyinditas
Phone: +36-1/391-1400
Fax: +36-1/391-1410
Representative: Dr. habil. Attila Péterfalvi, President
Website: www.naih.hu
Additionally, the affected party has the right to judicial enforcement. The lawsuit can be initiated by the affected party, either in the court of their place of residence or their place of stay.
2. Common Procedural Rules
Please provide the necessary identification details and mailing address in your inquiry. If there is any doubt regarding the identity of the data subject or if the provided information is insufficient for identification, the data controller is entitled to request additional identifying information.
The deadline for handling the inquiry is 30 days, which may be extended by the data controller for an additional 60 days if necessary. The affected party (complainant) will be informed of this extension with a reasoned explanation within 30 days of their inquiry.
The data controller will respond in writing to inquiries in the form in which they were received, i.e., postal inquiries will be answered by post, and email inquiries will be answered by email unless the requester specifies otherwise in their inquiry.
Please make your inquiry in writing if possible. Please only exercise your right to verbal communication if you cannot reach us otherwise, as written communication protects the interests of both the affected party and the data controller with respect to evidence.
The data controller will fulfill justified requests free of charge. However, if the request is obviously unjustified or, especially due to its repetitive nature, excessive, the data controller is entitled to charge a reasonable fee or refuse to take action based on the request.