Privacy policy

Data controller’s data

Purpose of these rules

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”) and the 2011 Act on the Right to Information, Self-Determination and Freedom of Information (Directive 2011/36/EC). CXII of 2011 (hereinafter referred to as the “Infotv.”) and other applicable laws, the provisions of the following Data Management Policy (hereinafter referred to as the “Policy”) shall apply to the operation of Anita Sárkány, a self-employed entrepreneur (hereinafter referred to as the “Data Controller”).

The purpose of this Policy is to provide data subjects with adequate information about the data processed by the Controller, the purposes, legal basis and duration of the processing, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer.

Through this Policy, the Controller seeks to ensure compliance with the constitutional principles of data protection, the requirements of data security, to prevent unauthorised access to and unauthorised alteration or disclosure of data, and to meet the requirement of accountability.


  • data subject: a natural person identified or identifiable on the basis of any information;
  • personal data: any information relating to a data subject;
  • special categories of personal data: any data which fall within special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons,
  • health data: personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which contain information about the health of that natural person,
  • consent: a freely given, explicit and properly informed indication of the data subject’s wishes by which he or she signifies, by a statement or by other conduct unambiguously expressing his or her wishes, his or her agreement to the processing of personal data relating to him or her;
  • controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and executes decisions regarding the processing (including the means used) or has the data processed by a processor, within the limits set by law or by a legally binding act of the European Union;
  • processing: any operation or set of operations which is performed upon the data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of further use, taking of photographs, sound recordings or images, or any other physical means of identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
  • transfer: making data available to a specified third party;
  • data erasure: rendering data unrecognisable in such a way that it is no longer possible to recover it;
  • restriction of processing: the blocking of stored data by marking them for the purpose of restricting their further processing;
  • data destruction: the total physical destruction of the data medium containing the data;
  • third party: any natural or legal person or unincorporated body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are carrying out operations for the processing of personal data;
  • data breach: a breach of data security resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed.

General rules on data processing

The Controller, as a psychologist, provides individual and group, face-to-face and online psychological counselling to data subjects. The Data Controller is primarily concerned with psychology, including sex psychology and organisational psychology, and therefore also processes personal and sensitive data. The Data Controller processes the data of natural persons under the age of 18 with the consent of the person exercising parental control.

The Controller processes personal data only for specified purposes, for the exercise of rights and the performance of obligations, to the extent and for the duration necessary to achieve those purposes. The Data Controller shall process personal data only with the prior consent of the data subject or on the basis of a legal authorisation and where the processing is necessary for the performance of a contract to which the data subject is a party.

If the Controller becomes aware that the data it is processing is inaccurate, incomplete or not up to date, it shall rectify it.

Principles governing the processing of personal data:

  • “lawfulness, fairness and transparency”: the processing of personal data must be carried out lawfully and fairly and in a transparent manner for the data subject;
  • “purpose limitation”: personal data should be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes;
  • ‘data minimisation’: personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
  • ‘accuracy’: personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay;
  • ‘limited storage: personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • ‘integrity and confidentiality’: personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.

The Controller shall ensure maximum compliance with the principles relating to the processing of personal data in the course of its operations.

Data processing activities

Psychological counselling

Purpose of the processing

To maintain contact between the data subject and the Data Controller, to store personal data in electronic and paper form, to keep written records of the counselling sessions.

Scope of the data processed

Name, telephone number, e-mail address, billing address, any personal and specific data provided by the data subject during the counselling session.

Duration of processing

Data processing lasts for five years after the termination of the contract.

Legal basis for processing

– consent of the data subject (Article 6(1)(a) GDPR),

– processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR),

– the data subject has given his or her explicit consent to the processing of his or her personal data (GDPR.

Article 9(2)(a)).


Purpose of the processing

Processing of the contact initiated by the data subject, response to the request.

Scope of the data processed

Name, e-mail address, content of the message sent by the data subject.

Duration of processing

In the absence of a contract between the parties, the processing lasts for 6 months after the contact.

Legal basis for processing

Consent of the data subject (Article 6(1)(a) GDPR).


Purpose of processing

To inform the data subject about current news and information.

Scope of the data processed

Name, e-mail address.

Duration of processing

Data processing lasts until the data subject’s consent is withdrawn.

Legal basis for processing

Consent of the data subject (Article 6(1)(a) GDPR).

Data transmission

  • Name: MailChimp: The Rocket Science Group, LLC
  • Address: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA
  • Purpose of transfer: newsletters are sent from MailChimp’s system.

Invoicing, accounting

Purpose of data processing

To comply with legal requirements.

Scope of data processed

Billing name, billing address, transaction amount, transaction date.

Legal basis for processing

Processing is necessary for the fulfilment of a legal obligation to which the controller is subject (GDPR.

Article 6(1)(c)).

Data transmission

Tax address: Name: Finanzamt Waiblingen Fronackerstraße 77, 71332 Waiblingen, Germany

Website use

By using the , website or by using its services (e.g. subscribing to a newsletter, online course, online consulting) or by initiating such services, the data subject consents to the processing of his or her personal data in accordance with the provisions of this Privacy Policy.

The data subject gives his or her consent by subscribing to a newsletter, registering for an online course or using any of the services on the website.

Online programmes are typically delivered via Zoom, Signal interface.

The hosting of the website is provided by MikroVPS Informatikai és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 7150 Bonyhád, Jókai Mór utca 3.). The provider’s privacy policy is available on the provider’s website:

The Data Controller may use cookies in the operation of the website  A cookie is a shorter text-type file that is stored on the hard disk of the computer or mobile device and is activated on subsequent visits.

Cookies facilitate and secure the use of the website, save certain user preferences and help to collect some relevant, statistical information about visitors to the website.

Some of the cookies do not contain any personal information and are not suitable for identifying the individual user, but some of them contain a unique identifier that is stored on the device of the data subject, thus ensuring the identification of the data subject.

Most browsers accept cookies by default, but the data subject may also choose to reject cookies or indicate when they are received. The data subject can delete cookies using their browser.

Google Analytics. The service may use cookies to collect information and generate reports on website usage statistics without individually identifying visitors to Google. For more information, please click on the following link:

Google Ads. Google Ads’ conversion tracking feature uses cookies. To track conversions from an ad, cookies are saved on a user’s computer when they click on an ad. For more information, please click on the following link:

Facebook Pixel: a Facebook pixel is a code that allows the website owner to receive analytics data about visitors’ website usage and conversions. Facebook Pixel is used to display personalized offers and ads to website visitors on Facebook. For more information, please click on the following link:

Your rights as a data subject

The data subject has the right to obtain, in relation to his/her personal data

  • to be informed of the facts relating to the processing of his or her personal data before the processing starts (hereinafter referred to as the “right to prior information”),
  • to have his or her personal data and information relating to the processing thereof made available to him or her by the Controller at his or her request (hereinafter referred to as the right of access),
  • to have his or her personal data rectified or completed by the Controller at his or her request (hereinafter referred to as the “right of rectification”),
  • at his/her request, to restrict the processing of his/her personal data by the Controller (hereinafter referred to as the “right to restriction of processing”),
  • at his/her request, to have his/her personal data erased by the Controller (hereinafter referred to as the right to erasure).
  • The Controller shall ensure the exercise of the rights of the data subject as set out below:
  • To ensure the right to information, the Controller shall make this Policy available to data subjects on its website.
  • In order to ensure the right of rectification, the Controller shall, where the personal data it processes are inaccurate, incorrect or incomplete, rectify, correct or complete them without delay, in particular at the request of the data subject.
  • In order to exercise the right to restriction of processing, the Controller shall restrict processing,
  • where the data subject contests the accuracy, correctness or completeness of the personal data processed by the Controller and the accuracy, correctness or completeness of the personal data processed cannot be established beyond reasonable doubt, for the period necessary to resolve the doubt,
  • where the data should be erased but there are reasonable grounds to consider, on the basis of a written declaration by the data subject or on the basis of information available to the Controller, that erasure would undermine the legitimate interests of the data subject, for the duration of the legitimate interest not to erase the data,
  • if the data should be erased, but investigations or proceedings carried out by or with the participation of the Controller or another public authority, as provided for by law, are
  • in particular in criminal proceedings, until the final or legally binding conclusion of such investigations or proceedings.
  • In order to enforce the right to erasure, the Controller shall promptly erase the personal data of the data subject where
    • processing is unlawful,
    • the data subject withdraws his or her consent to the processing or requests the erasure of his or her personal data,
    • the deletion of the data is required by law, an act of the European Union, the NAIH or a court ordered by a court or a judicial authority.

Legal remedies

If you have any comments or objections concerning the processing of your data, you should contact the Data Controller at the following contact details:

If you consider that the Controller is processing your personal data in breach of the requirements laid down by law or by a legally binding act of the European Union on the processing of personal data, you have the right to bring an action before the competent territorial court.

The Controller shall keep the data it processes in electronic and paper form at its headquarters.

Procedural rules

The data subject may request the deletion or modification of his/her personal data or request information on the processing of his/her personal data by sending an e-mail to the following address:

At the request of the data subject, the Controller shall provide information about the data processed by the Controller, the legal basis, the purposes and the duration of the processing. The Data Controller shall provide the information in writing within the shortest possible time from the request, but not later than one month.

If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further month. The Data Controller shall inform the data subject of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request.

Where the data subject has made the request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject requests otherwise.

The information shall be provided to the natural person in a concise, transparent, comprehensible and easily accessible form, in clear and plain language.

If the controller does not act on the data subject’s request, the data subject shall be informed without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of the possibility to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

The controller shall provide the information free of charge, except in the following cases:

  • the data subject repeatedly requests information or action on substantially unchanged content,
  • the request is clearly unfounded and excessive.

Data protection incident

The Data Controller shall notify the territorial competent authority of a data protection incident that has occurred in relation to the data it processes without undue delay, but no later than 72 hours after becoming aware of the data protection incident.

A data protection incident need not be notified if it is unlikely to pose a risk to the rights of data subjects.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay. The data subject need not be informed if any of the legal conditions are met.

Other provisions

This Policy entered into force on 30 March 2024. The Controller is entitled to amend the provisions of this Policy at any time.