Privacy notice

Please read this Notice carefully to understand how we process your personal data and to become aware of your rights regarding data management.

MM Studio (1087 Budapest, Baross tér 1, Studio Manager: Máté Gregus), as the data controller, respects the privacy of all individuals who provide personal data and is committed to protecting it. According to Article 13 of the General Data Protection Regulation of the European Union (Regulation No. 679/2016, hereinafter: GDPR), the following information is provided:

 

Data Controller Details:

Company Name: MM Studio – Next Production Group Ltd.

Registered Address: 1073 Budapest, Dob utca 68. 1/19.

Business Address: 1087 Budapest, Baross tér 1.

Website: http://mmstudio.hu

Contact Person: Máté Gregus

Phone: +36 30 409 4674

E-mail:

Data Protection Officer: under Article 37 of the GDPR, the data controller is not required to appoint a Data Protection Officer.

Data Protection Requests: if you have any requests or questions regarding data processing, you may submit them by post or electronically to the following addresses:

Postal Address: 1087 Budapest, Baross tér 1.

Email:

We will respond without delay, but no later than 25 days after receiving your request.

Data Processing Details:  no data processor is used.

Transfers abroad: no transfers are made abroad.

 

Purposes of Data Processing:

The data controller processes data following applicable laws for the following purposes:

  1. a) Managing the data of individuals utilizing the services related to the activities of MM Studio, to fulfill obligations and maintain client relationships;
  2. b) Conducting marketing activities targeted at potential clients;
  3. c) Processing data of employees and job applicants;
  4. d) Managing contact information of partners’ representatives;
  5. e) Fulfilling client orders
  6. f) Ensuring property protection and personal safety;
  7. g) Facilitating internal administration;
  8. h) Other purposes defined by law:

 

Purpose of Data Processing:

The purpose of data processing is to fulfil the service utilized by the data subject and to enforce related claims.

 

Description of Data Processing:

Processing of personal data provided by the data subject to fulfil the ordered service.

 

Legal Bases for Using Your Personal Data:

The use of your personal data is based on the following legal grounds:

  1. a) Issuance of invoices in compliance with accounting regulations: Legal basis: GDPR Article 6(1)(c).
  2. b) Communication: Legal basis: GDPR Article 6(1)(f). For data from employees and representatives of partners, the legal basis for data processing is a balance of interests. The legitimate interest of the data controller is ensuring business continuity.
  3. c) Processing of employee data: Legal basis: GDPR Article 6(1)(b) and (c).
  4. d) Processing of data of contractual partners: Legal basis: GDPR Article 6(1)(b).
  5. e) Marketing activities: Legal basis: GDPR Article 6(1)(a).

A Facebook page is also operated for marketing purposes; however, no independent database is created, and no profiling takes place.

  1. f)Online registration: Legal basis: GDPR Article 6(1)(a).
  2. g)Operation of security cameras: Legal basis: GDPR Article 6(1)(f). The legitimate interest of the data controller is property protection, and for employees, the employer’s legitimate interest as defined in the Labor Code.
  3. h) Photographs of natural persons: Legal basis: GDPR Articles 4(1), 4(2), and 12.

The balancing tests mentioned in points b and g can be reviewed upon request sent to .

 

Scope of Processed Data:

  • name of the Client (data subject) or business name, phone number, and email address.
  • personal data (copies of ID card, address card, and tax card)
  • photograph of a natural person
  • email address
  • security camera footage.

 

Source of Data:

The written contract between the data subject and the Data Controller (established upon acceptance of the booking).

 

Data Retention Period:

Invoices: retained for at least eight years due to legal obligations.

Documents serving as the basis for issuing invoices: retention period of eight years.

Documents related to employment contracts: retention period of 50 years.

Data provided for communication purposes: retained for up to one year after the relationship ends.

Data related to contract performance: retention period of five years.

Newsletter: data is retained until the data subject unsubscribes.

Security camera footage: retained for 30 days from the date of recording.

 

Data Transfer:

The data controller does not transfer personal data related to the use of the service to third parties. However, based on legal authorization, the National Authority for Data Protection and Freedom of Information or other authorities may request information, disclosure, or data transfer. In response to such requests, the data controller will provide the requested personal data only to the extent necessary to achieve the purpose specified by the requesting authority, ensuring the exact purpose and scope of the data are clearly indicated.

 

Rights of the Data Subject:

The data subject has the rights defined by law concerning their personal data.

  1. a) Right of access (the right to know and access personal data and whether data processing is taking place);
  2. b) The right to correct any outdated or inaccurate data;
  3. c) The right to have data deleted (only applicable to data processing based on consent);
  4. d) The right to restrict the processing of personal data;
  5. e) The right to prohibit the use of personal data for direct marketing purposes;
  6. f) The right to have personal data transferred to another service provider or to prohibit such transfer;
  7. g) The right to request a copy of any personal data processed by the data controller; or
  8. h) The right to object to the use of personal data.

Information on Legal Remedies:

The data subject has the right to request information at any time regarding personal data processed about them. Upon the data subject’s request, the data controller provides information about the personal data processed, the purpose and legal basis of the data processing, its duration, and the legal basis and recipient of any data transfer.

The data controller must provide written information in an intelligible form to the data subject within 25 days of the request (or within one month as per the GDPR, effective from May 25, 2018).

In Hungary, the supervisory authority for data protection is the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C)

Judicial Remedies: data protection lawsuits fall under the jurisdiction of the courts. At the data subject’s choice, the lawsuit may also be initiated before the competent court based on their place of residence or habitual residence.

 

The Right to Data Portability:

The data subject is entitled to receive from the Data Controller, in a structured, commonly used, and machine-readable format, the personal data provided by them.

 

Rectification, Deletion, Restriction (Blocking) of Data:

The data subject may at any time modify or request the correction, deletion (except for mandatory data processing), or blocking of their personal data through the contact details of the Data Controller. The Data Controller will delete the data processed in connection with the service if its processing is unlawful, if the purpose of the data processing has ceased, if the legal retention period of the data has expired, if the Court or the National Authority for Data Protection and Freedom of Information has ordered it, or if the data processing is incomplete or erroneous, and this cannot be rectified, provided that the deletion is not prohibited by law.

 

Objection to the Processing of Personal Data:

The data subject may object to the processing of their personal data,

  • if the processing or transfer of personal data is necessary solely for the fulfilment of a legal obligation of the Data Controller or for the legitimate interest of the Data Controller or a third party (except for mandatory data processing),
  • if the personal data is used or transferred for the purpose of direct marketing, public opinion polling, or scientific research,
  • in any other case defined by law.

If the Data Controller determines that the objection of the data subject is justified, the data processing will be terminated, and the data will be blocked.